Added support for bastille firewall.
5 files modified
7 files added
New file |
| | |
| | | #!/bin/sh |
| | | # |
| | | # bastille-firewall Load/unload ipchains rulesets |
| | | # |
| | | # do not rename this file unless you edit /sbin/bastille-firewall-reset |
| | | # |
| | | # chkconfig: 2345 5 98 |
| | | # description: A firewall/packet-filter script for Linux systems \ |
| | | # that allows the machine to be used as a gateway system |
| | | # |
| | | # $Id: bastille-firewall,v 1.6 2002/02/24 17:19:14 peterw Exp $ |
| | | # Copyright (c) 1999-2002 Peter Watkins |
| | | # |
| | | # This program is distributed in the hope that it will be useful, |
| | | # but WITHOUT ANY WARRANTY; without even the implied warranty of |
| | | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| | | # GNU General Public License for more details. |
| | | # |
| | | # You should have received a copy of the GNU General Public License |
| | | # along with this program; if not, write to the Free Software |
| | | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
| | | # |
| | | # Thanks to David Ranch, Brad A, Don G, and others for their suggestions |
| | | # |
| | | # This script is designed to be used as a SysV-style init script. |
| | | # |
| | | # It should be run with a "start" argument |
| | | # 1) as an rc?.d "S" script, _before_ the "network" script |
| | | # [copy this to /etc/rc.d/init.d/bastille-firewall (or your equivalent of |
| | | # /etc/rc.d/init.d) and run 'chkconfig -add bastille-firewall' ] |
| | | # 2) any time an interface is brought up or changed, e.g. |
| | | # establishing a PPP conection or renewing a DHCP lease |
| | | # [copy 'bastille-firewall-reset', 'bastille-firewall-schedule' |
| | | # and 'ifup-local' to /sbin/] |
| | | # |
| | | # Normally you Do Not _Ever_ Want to run this with a "stop" argument! |
| | | # |
| | | # Note that running this with "stop" will disable the firewall and open |
| | | # your system to all network traffic; if you make changes to these rules, |
| | | # apply them by running the script again with a "start" argument. |
| | | # |
| | | # ** As of 0.99-beta1, this script merely kicks off the real script, |
| | | # either /sbin/bastille-ipchains or /sbin/bastille-netfilter |
| | | |
| | | # Default is to use the 'ipchains' script, which will load the |
| | | # ipchains compatibility module if you're using a 2.4 kernel |
| | | REALSCRIPT=/sbin/bastille-ipchains |
| | | PATH=/sbin:/bin:/usr/sbin:/usr/bin |
| | | |
| | | # exit function to be called in place of regular Bourne exit |
| | | clean_exit() |
| | | { |
| | | rmdir /var/lock/bastille-firewall 2>/dev/null |
| | | exit $1 |
| | | } |
| | | |
| | | [ ! -d /var/lock ] && mkdir -m 0755 /var/lock |
| | | |
| | | mkdir -m 0700 /var/lock/bastille-firewall 2>/dev/null |
| | | if [ $? -ne 0 ]; then |
| | | if [ -n "${BASTILLE_FWALL_QUIET_FAIL}" ]; then exit 0; fi |
| | | echo "ERROR: bastille-firewall currently being reset or lock is stuck." |
| | | echo "To un-stick, remove the directory /var/lock/bastille-firewall" |
| | | exit 1 |
| | | fi |
| | | |
| | | if [ -n "$(uname -r | awk -F. ' $1 == 2 && $2 > 2 {print}')" ]; then |
| | | # We are using Linux 2.3 or newer; use the netfilter script if available |
| | | if [ -x /sbin/bastille-netfilter ]; then |
| | | REALSCRIPT=/sbin/bastille-netfilter |
| | | fi |
| | | fi |
| | | |
| | | if [ ! -x ${REALSCRIPT} ]; then |
| | | echo "ERROR: \"${REALSCRIPT}\" not available!" |
| | | clean_exit 1 |
| | | fi |
| | | |
| | | ${REALSCRIPT} "$1" |
| | | bretval=$? |
| | | |
| | | # Use "subsys" locks to indicate our status |
| | | case "$1" in |
| | | start|restart|reload) |
| | | if [ $bretval -eq 0 ]; then touch /var/lock/subsys/bastille-firewall; fi |
| | | ;; |
| | | stop) |
| | | rm -f /var/lock/subsys/bastille-firewall |
| | | ;; |
| | | esac |
| | | |
| | | clean_exit $bretval |
| | | |
New file |
| | |
| | | #!/bin/sh |
| | | # |
| | | # /sbin/bastille-ipchains Load/unload ipchains rulesets |
| | | # |
| | | # $Source: /cvsroot/bastille-linux/dev/working_tree/Bastille/bastille-ipchains,v $ |
| | | # Modified by: $Author: peterw $ |
| | | # $Date: 2001/08/18 15:38:31 $ |
| | | # $Revision: 1.18 $ |
| | | # |
| | | # Copyright (C) 1999-2001 Peter Watkins |
| | | # |
| | | # This program is distributed in the hope that it will be useful, |
| | | # but WITHOUT ANY WARRANTY; without even the implied warranty of |
| | | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| | | # GNU General Public License for more details. |
| | | # |
| | | # You should have received a copy of the GNU General Public License |
| | | # along with this program; if not, write to the Free Software |
| | | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
| | | # |
| | | # Thanks to David Ranch, Brad A, Don G, and others for their suggestions |
| | | # |
| | | # This script is designed to be called BY a SysV-style init script. |
| | | # |
| | | # It should be run with a "start" argument |
| | | # 1) BY an rc?.d "S" script, _before_ the "network" script |
| | | # (normally via the "bastille-firewall" init script; |
| | | # as of 2001/02/14, the only purpose of bastille-firewall |
| | | # is to start this script) |
| | | # 2) any time an interface is brought up or changed, e.g. |
| | | # establishing a PPP conection or renewing a DHCP lease |
| | | # [also copy 'bastille-firewall-reset', 'bastille-firewall-schedule' and |
| | | # 'ifup-local' to /sbin/ (in addition to the bastille-firewall init script] |
| | | # |
| | | # Normally you Do Not _Ever_ Want to run this with a "stop" argument! |
| | | # |
| | | # Note that running this with "stop" will disable the firewall and open |
| | | # your system to all network traffic; if you make changes to these rules, |
| | | # apply them by running the script again with a "start" argument. |
| | | |
| | | PATH=/bin:/sbin:/usr/bin:/usr/sbin |
| | | IPCHAINS=/sbin/ipchains |
| | | CONFIG=/etc/Bastille/bastille-firewall.cfg |
| | | |
| | | if [ ! -f ${CONFIG} ]; then |
| | | echo "ERROR: unable to read configuration file \"${CONFIG}\"" |
| | | exit 1 |
| | | fi |
| | | |
| | | # source the configuration file, which will set environment variables |
| | | . ${CONFIG} |
| | | |
| | | if [ -z "${TRUSTED_IFACES}" ]; then |
| | | echo "ERROR: no trusted interfaces specified! Exiting!" |
| | | exit 1 |
| | | fi |
| | | |
| | | # |
| | | # Computed values |
| | | # |
| | | # These things should be queried/computed at run time |
| | | # |
| | | # LOCAL_ADDRESSES |
| | | # |
| | | # LOCAL_ADDRESSES lists all IP addresses for this server |
| | | # (for the INTERNAL_SERVICES rules); if you have virtual |
| | | # network devices, you may want to hand-code this, e.g. |
| | | # LOCAL_ADDRESSES="127.0.0.0/8" |
| | | # |
| | | # The following makes a list of all current IP addresses |
| | | LOCAL_ADDRESSES=`ifconfig | grep "inet addr" | awk '{print $2}' | awk -F: '{print $2"/32"}' | sed s:127\.0\.0\.1/32:127.0.0.1/8: ` |
| | | # |
| | | # |
| | | # INTERNAL_NETWORKS |
| | | # |
| | | # INTERNAL_NETWORKS lists the masked networks for the INT_INTERFACES |
| | | # e.g. INTERNAL_NETWORKS="10.0.0.0/255.0.0.0" |
| | | # The following makes a list of all current internal IP addresses _with netmasks_ |
| | | for i in ${INTERNAL_IFACES} ; do |
| | | INTERNAL_NETWORKS="${INTERNAL_NETWORKS} `ifconfig ${i} 2>/dev/null| grep "inet addr" | awk '{print $2":"$4}' | awk -F: '{print $2"/"$4}' | sed 's:127\.0\.0\.1/$:127.0.0.1/8:'`" |
| | | done |
| | | # |
| | | # |
| | | # DNS_SERVERS |
| | | # |
| | | # Derive this from /etc/resolv.conf if it's not set already |
| | | # Note we only take the first three as most systems' resolvers |
| | | # can only use three nameservers; see MAXNS in resolv.h for details |
| | | MAXNS=3 |
| | | if [ -z "${DNS_SERVERS}" ]; then |
| | | DNS_SERVERS=`grep nameserver /etc/resolv.conf | awk -F\# '{print $1}' | grep '^nameserver' | awk '{print $2"/32"}' | head -${MAXNS}` |
| | | fi |
| | | # |
| | | # |
| | | # LOG_FLAG |
| | | # |
| | | # Flag to add to ${REJECT_METHOD} rules to force logging |
| | | if [ "${LOG_FAILURES}" = "Y" ]; then |
| | | LOG_FLAG="-l" |
| | | else |
| | | LOG_FLAG="" |
| | | fi |
| | | # |
| | | # |
| | | # CALLED_METHOD |
| | | # |
| | | # Variable to hold $1, for use in functions (which have their own $1 vars) |
| | | CALLED_METHOD="$1" |
| | | # |
| | | # |
| | | # REJECT_METHOD |
| | | # Convert netfilter/DROP to ipchains/DENY |
| | | if [ "${REJECT_METHOD}" = "DROP" ]; then |
| | | REJECT_METHOD="DENY" |
| | | fi |
| | | # |
| | | # |
| | | # NTP_SERVERS |
| | | # |
| | | # Do hostname lookups for any names in NTP_SERVERS |
| | | # |
| | | ntp_server_addrs="" |
| | | for n in ${NTP_SERVERS}; do |
| | | ip=`echo ${n} | egrep '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'` |
| | | if [ -n "${ip}" ]; then |
| | | # looks like an IP address, use it as-is |
| | | ntp_server_addrs="${ntp_server_addrs} ${ip}" |
| | | else |
| | | # use 'host' t resolve address |
| | | ip=`host ${n} 2>/dev/null| awk '/ has address / { print $4 }' | head -1` |
| | | ntp_server_addrs="${ntp_server_addrs} ${ip}" |
| | | fi |
| | | done |
| | | |
| | | |
| | | # |
| | | # Shell functions |
| | | # |
| | | # include_supplemental |
| | | # source supplemental (plug-in) firewall scripts |
| | | include_supplemental() |
| | | { |
| | | # args: $1 = nickname for the supplemental phase |
| | | nickname="$1" |
| | | if [ -e /etc/Bastille/firewall.d/${nickname}.sh ]; then |
| | | cd /etc/Bastille/firewall.d && . ./${nickname}.sh |
| | | fi |
| | | if [ -d /etc/Bastille/firewall.d/${nickname}.d ]; then |
| | | for s in `ls /etc/Bastille/firewall.d/${nickname}.d/*.sh`; do |
| | | cd /etc/Bastille/firewall.d/${nickname}.d && \ |
| | | . ${s} |
| | | done |
| | | fi |
| | | } |
| | | # |
| | | # do_masq_mods |
| | | # Function to load/unload "ip_masq_*" kernel modules |
| | | do_masq_mods() |
| | | { |
| | | # args: $1 = "load" or "unload" |
| | | # |
| | | # find the currently loaded modules |
| | | masq_mods=`lsmod | awk '{print $1}' | grep '^ip_masq_'` |
| | | # |
| | | # Step 1: unload unwanted modules |
| | | for m in ${masq_mods} ; do |
| | | UNLOAD_THIS_MOD=Y |
| | | for normal_mod in ${IP_MASQ_MODULES} ; do |
| | | if [ "ip_masq_${normal_mod}" = $m ]; then |
| | | # this module is _supposed_ to be loaded |
| | | UNLOAD_THIS_MOD=N |
| | | fi |
| | | done |
| | | if [ "${CALLED_METHOD}" = "stop" -o -z "${IP_MASQ_NETWORK}" ]; then |
| | | # we're either disabling the firewall or we've disabled masquerading, |
| | | # so we should unload _all_ masq modules |
| | | UNLOAD_THIS_MOD=Y |
| | | fi |
| | | if [ $UNLOAD_THIS_MOD = "Y" -a $1 = "unload" ]; then |
| | | rmmod $m || echo "Error unloading ${m} module" |
| | | fi |
| | | done |
| | | # Step 2: load wanted modules that are not already loaded |
| | | if [ $1 = "load" ]; then |
| | | for normal_mod in ${IP_MASQ_MODULES} ; do |
| | | MOD_LOADED=N |
| | | for m in ${masq_mods} ; do |
| | | if [ "ip_masq_${normal_mod}" = ${m} ]; then |
| | | MOD_LOADED=Y |
| | | fi |
| | | done |
| | | if [ $MOD_LOADED = "N" ]; then |
| | | insmod "ip_masq_${normal_mod}" || echo "Error loading ip_masq_${normal_mod} module" |
| | | fi |
| | | done |
| | | fi |
| | | } |
| | | |
| | | # See how we were called. |
| | | case "$1" in |
| | | start|reload|restart) |
| | | # |
| | | # anything to do before resetting? |
| | | include_supplemental pre-reset |
| | | # |
| | | # For Red Hat users, let's ensure that its firewalls are disabled |
| | | rhtest_ipchains=`chkconfig --list ipchains 2>/dev/null | grep :on` |
| | | rhtest_iptables=`chkconfig --list iptables 2>/dev/null | grep :on` |
| | | bftest=`chkconfig --list bastille-firewall 2>/dev/null | grep :on` |
| | | if [ \( -n "${rhtest_ipchains}" -o -n "${rhtest_iptables}" \) -a -n "${bftest}" ]; then |
| | | echo |
| | | echo "bastille-firewall conflicts with Red Hat 7.1's 'ipchains'" |
| | | echo "and 'iptables' firewalls. We are disabling Red Hat's firewalls." |
| | | [ -n "${rhtest_ipchains}" ] && chkconfig --level 0123456 ipchains off |
| | | [ -n "${rhtest_iptables}" ] && chkconfig --level 0123456 iptables off |
| | | echo |
| | | fi |
| | | # load the IPCHAINS compatibilty module if we're using a 2.4 kernel |
| | | if [ -n "$(uname -r | awk -F. ' $1 == 2 && $2 > 2 {print}')" ]; then |
| | | echo "Loading ipchains compatibility module" |
| | | modprobe ipchains |
| | | fi |
| | | # |
| | | # we set defaults to DENY now to minimize possible interruptions |
| | | # if this script is re-run to reset rules |
| | | # |
| | | # set default policy to disallow forwarding |
| | | ${IPCHAINS} -P forward DENY |
| | | # flush rules |
| | | ${IPCHAINS} -F forward |
| | | # default is to disallow incoming traffic |
| | | ${IPCHAINS} -P input DENY |
| | | # flush rules |
| | | ${IPCHAINS} -F input |
| | | # disallow outbound until we set up the explicit outbound rules |
| | | ${IPCHAINS} -P output DENY |
| | | # flush rules |
| | | ${IPCHAINS} -F output |
| | | |
| | | # Run our "early" custom script if it exists |
| | | [ -f /etc/Bastille/bastille-firewall-early.sh ] && . /etc/Bastille/bastille-firewall-early.sh |
| | | |
| | | # any new-style "early" plugins? |
| | | include_supplemental early |
| | | |
| | | # always allow MTU discovery packets |
| | | ${IPCHAINS} -A input -p icmp --icmp-type fragmentation-needed -j ACCEPT |
| | | ${IPCHAINS} -A output -p icmp --icmp-type fragmentation-needed -j ACCEPT |
| | | |
| | | include_supplemental pre-local-block |
| | | |
| | | # Block any non-local attempts to get localhost addresses |
| | | # per woody@thebunker.net's bugtraq post |
| | | ${IPCHAINS} -A input -d 127.0.0.0/8 ! -i lo -j ${REJECT_METHOD} ${LOG_FLAG} |
| | | |
| | | # Fragments |
| | | if [ "${ALLOW_FRAGMENTS}" = "N" ]; then |
| | | ${IPCHAINS} -A input -f -j ${REJECT_METHOD} |
| | | fi |
| | | |
| | | # from the ipchains HOWTO, I think |
| | | if [ "${ENABLE_SRC_ADDR_VERIFY}" = "Y" ]; then |
| | | if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then |
| | | echo -n "Setting up IP spoofing protection..." |
| | | for f in /proc/sys/net/ipv4/conf/*/rp_filter; do |
| | | echo 1 > $f |
| | | done |
| | | echo " done." |
| | | else |
| | | echo "WARNING: errors encountered while trying to enable IP spoofing protection!" |
| | | fi |
| | | fi |
| | | |
| | | include_supplemental pre-trusted |
| | | |
| | | # Allow all traffic from trusted interfaces |
| | | echo -n "Allowing traffic from trusted interfaces..." |
| | | for t_iface in ${TRUSTED_IFACES} ; do |
| | | ${IPCHAINS} -A input -i ${t_iface} -d 0.0.0.0/0 -j ACCEPT |
| | | done |
| | | echo " done. " |
| | | |
| | | # If you have networks that route traffic to each other through this |
| | | # server, you may want to add some forwarding rules, here, e.g. |
| | | # one way, 192.168.*.* -> 10.*.*.* with 192.168.*.* on "eth0" |
| | | #${IPCHAINS} -A forward -i eth0 -s 192.168.0.0/16 -d 10.0.0.0/8 -j ACCEPT |
| | | # the other direction, 10.*.*.* -> 192.168.*.* with 10.*.*.* on "eth1" |
| | | #${IPCHAINS} -A forward -i eth1 -d 192.168.0.0/16 -s 10.0.0.0/8 -j ACCEPT |
| | | |
| | | include_supplemental pre-mcast-block |
| | | |
| | | # No packets with multicast source addresses (Joshua K, RFC 1122) |
| | | ${IPCHAINS} -A input -s 224.0.0.0/4 -j ${REJECT_METHOD} ${LOG_FLAG} |
| | | |
| | | # Forwarding |
| | | |
| | | include_supplemental pre-nat |
| | | |
| | | # IP Masquerading/forwarding |
| | | # |
| | | # Unload masq modules (maybe we're disabling masquerading, maybe we changed the module list) |
| | | do_masq_mods unload |
| | | # |
| | | if [ -n "${IP_MASQ_NETWORK}" ]; then |
| | | echo -n "Setting up masquerading rules..." |
| | | # since we've set the default forwarding policy to |
| | | # reject, we can enable forwarding now |
| | | echo 1 > /proc/sys/net/ipv4/ip_forward |
| | | # set up rules for masqueraded networks |
| | | for net in ${IP_MASQ_NETWORK} ; do |
| | | if [ "${DROP_SMB_NAT_BCAST}" = "Y" ]; then |
| | | # NetBIOS |
| | | ${IPCHAINS} -A forward -p tcp -s ${net} -d 0.0.0.255/0.0.0.255 137:139 -j ${REJECT_METHOD} ${LOG_FLAG} |
| | | ${IPCHAINS} -A forward -p udp -s ${net} -d 0.0.0.255/0.0.0.255 137:139 -j ${REJECT_METHOD} ${LOG_FLAG} |
| | | fi |
| | | for pub in ${PUBLIC_IFACES} ; do |
| | | # NAT should be one-way, deny traffic from public |
| | | # interfaces that is addresses to masq'ed networks |
| | | ${IPCHAINS} -A input -d ${net} -i ${pub} -j ${REJECT_METHOD} ${LOG_FLAG} |
| | | # spoofed addreses from outside |
| | | ${IPCHAINS} -A input -s ${net} -i ${pub} -j ${REJECT_METHOD} ${LOG_FLAG} |
| | | # enable forwarding |
| | | ${IPCHAINS} -A forward -s ${net} -i ${pub} -j MASQ |
| | | done |
| | | done |
| | | echo " done." |
| | | echo -n "Loading masquerading modules..." |
| | | do_masq_mods load |
| | | echo " done." |
| | | fi |
| | | |
| | | echo -n "Setting up chains for public/internal interface traffic..." |
| | | |
| | | # make a public input chain |
| | | ${IPCHAINS} -N PUB_IN 2> /dev/null |
| | | ${IPCHAINS} -F PUB_IN |
| | | # as close to setting policy as we can get |
| | | ${IPCHAINS} -A PUB_IN -j DENY |
| | | # make a public output chain |
| | | ${IPCHAINS} -N PUB_OUT 2> /dev/null |
| | | ${IPCHAINS} -F PUB_OUT |
| | | # as close to setting policy as we can get |
| | | ${IPCHAINS} -A PUB_OUT -j DENY |
| | | |
| | | # make an "INTERNAL" input chain |
| | | ${IPCHAINS} -N INT_IN 2> /dev/null |
| | | ${IPCHAINS} -F INT_IN |
| | | # as close to setting policy as we can get |
| | | ${IPCHAINS} -A INT_IN -j DENY |
| | | # make an "INTERNAL" output chain |
| | | ${IPCHAINS} -N INT_OUT 2> /dev/null |
| | | ${IPCHAINS} -F INT_OUT |
| | | # as close to setting policy as we can get |
| | | ${IPCHAINS} -A INT_OUT -j DENY |
| | | |
| | | include_supplemental pre-chain-split |
| | | |
| | | # direct packets to the INTERNAL_* chains |
| | | for iface in ${INTERNAL_IFACES} ; do |
| | | ${IPCHAINS} -A input -i ${iface} -j INT_IN |
| | | ${IPCHAINS} -A output -i ${iface} -j INT_OUT |
| | | NON_LOOPBACK_SEEN=N |
| | | for net in ${LOCAL_ADDRESSES} ; do |
| | | if [ ${net} != "127.0.0.1/8" ]; then |
| | | NON_LOOPBACK_SEEN=Y |
| | | fi |
| | | done |
| | | # complain if no local addresses |
| | | if [ ${NON_LOOPBACK_SEEN} = "N" ]; then |
| | | echo "WARNING: no non-loopback local addresses; protection from INTERNAL_IFACES not enabled!" |
| | | fi |
| | | done |
| | | |
| | | # Direct PUBLIC interface traffic to the proper chain |
| | | for iface in ${PUBLIC_IFACES} ; do |
| | | ${IPCHAINS} -A input -i ${iface} -j PUB_IN |
| | | ${IPCHAINS} -A output -i ${iface} -j PUB_OUT |
| | | done |
| | | |
| | | include_supplemental pre-audit |
| | | |
| | | # Auditing must be set up before these packets are blocked! |
| | | # |
| | | for service in ${TCP_AUDIT_SERVICES} ; do |
| | | ${IPCHAINS} -A PUB_IN -p tcp -d 0.0.0.0/0 ${service} -y -l |
| | | done |
| | | for service in ${UDP_AUDIT_SERVICES} ; do |
| | | ${IPCHAINS} -A PUB_IN -p udp -d 0.0.0.0/0 ${service} -l |
| | | done |
| | | for type in ${ICMP_AUDIT_TYPES} ; do |
| | | ${IPCHAINS} -A PUB_IN -p icmp --icmp-type ${type} -d 0.0.0.0/0 -l |
| | | done |
| | | |
| | | # disallow any attempts to get to internal interfaces from outside |
| | | # not good if this is supposed to route between normal networks |
| | | for int in ${INTERNAL_NETWORKS} ; do |
| | | # deny traffic from public |
| | | # interfaces that is addressed to internal networks |
| | | ${IPCHAINS} -A PUB_IN -d ${int} -j ${REJECT_METHOD} ${LOG_FLAG} |
| | | # spoofed addreses from outside |
| | | ${IPCHAINS} -A PUB_IN -s ${int} -j ${REJECT_METHOD} ${LOG_FLAG} |
| | | done |
| | | |
| | | echo " done. " |
| | | |
| | | echo -n "Setting up general rules..." |
| | | |
| | | include_supplemental pre-dhcp |
| | | |
| | | # Allow response from DHCP servers |
| | | for iface in ${DHCP_IFACES} ; do |
| | | for chain in input PUB_IN INT_IN ; do |
| | | # allow UDP responses |
| | | ${IPCHAINS} -A ${chain} -p udp -s 0.0.0.0/0 bootps -d 255.255.255.255/0 bootpc -j ACCEPT |
| | | # normally we allow TCP data returns so this is redundant |
| | | # ${IPCHAINS} -A ${chain} -p tcp -s 0.0.0.0/0 bootps -d 255.255.255.255/0 bootpc -j ACCEPT |
| | | done |
| | | # make link so dhcpcd runs firewall when IP changes (if no such file already) |
| | | [ ! -d /etc/dhcpc ] && mkdir /etc/dhcpc -m 0750 |
| | | if [ -x /sbin/bastille-firewall-reset -a ! -L /etc/dhcpc/dhcpcd-${iface}.exe ]; then |
| | | ln -s /sbin/bastille-firewall-reset /etc/dhcpc/dhcpcd-${iface}.exe |
| | | fi |
| | | done |
| | | |
| | | include_supplemental pre-internal |
| | | |
| | | # internal interface rules |
| | | for net in ${LOCAL_ADDRESSES} ; do |
| | | # Allow accessses to TCP services on this system |
| | | for serv in ${TCP_INTERNAL_SERVICES} ; do |
| | | ${IPCHAINS} -A INT_IN -p tcp -d ${net} ${serv} -j ACCEPT |
| | | done |
| | | ${IPCHAINS} -A INT_IN -p tcp -d ${net} ${serv} \! -y -j ACCEPT |
| | | # UDP services |
| | | for serv in ${UDP_INTERNAL_SERVICES} ; do |
| | | ${IPCHAINS} -A INT_IN -p udp -d ${net} ${serv} -j ACCEPT |
| | | done |
| | | done |
| | | # ICMP |
| | | # hopefully you don't care about hiding from internal hosts! |
| | | ${IPCHAINS} -A INT_IN -p icmp -d 0.0.0.0/0 -j ACCEPT |
| | | ${IPCHAINS} -A INT_OUT -p icmp -d 0.0.0.0/0 -j ACCEPT |
| | | # ...but if you do... try this... (and see the PUB_IN rules below) |
| | | #for type in ${ICMP_ALLOWED_TYPES} ; do |
| | | # ${IPCHAINS} -A INT_IN -p icmp --icmp-type ${type} -d 0.0.0.0/0 -j ACCEPT |
| | | #done |
| | | #for type in ${ICMP_OUTBOUND_DISABLED_TYPES} ; do |
| | | # ${IPCHAINS} -A INT_OUT -p icmp --icmp-type ${type} -j REJECT |
| | | #done |
| | | |
| | | # input rules |
| | | # |
| | | # public interfaces |
| | | |
| | | include_supplemental pre-input |
| | | |
| | | # --------------------- ICMP -------------------------- |
| | | for type in ${ICMP_ALLOWED_TYPES} ; do |
| | | ${IPCHAINS} -A PUB_IN -p icmp --icmp-type ${type} -d 0.0.0.0/0 -j ACCEPT |
| | | done |
| | | |
| | | # --------------------- TCP -------------------------- |
| | | for serv in ${TCP_PUBLIC_SERVICES} ; do |
| | | ${IPCHAINS} -A PUB_IN -p tcp -d 0.0.0.0/0 ${serv} -j ACCEPT |
| | | done |
| | | |
| | | # if you're disallowing ICMP, you may be trying to look |
| | | # invisible/disable ping, so let's just drop these attempts |
| | | ${IPCHAINS} -A PUB_IN -p icmp -d 0.0.0.0/0 -j DENY ${LOG_FLAG} |
| | | |
| | | for chain in PUB_IN INT_IN ; do |
| | | if [ ${FORCE_PASV_FTP} != "Y" ]; then |
| | | # no point explicitly blocking TCP services unless active FTP is enabled |
| | | # Step 1: block the high port TCP services |
| | | for serv in ${TCP_BLOCKED_SERVICES} ; do |
| | | # only block -y initial connects; in case the port was needlessly |
| | | # specified, this should still enable it to be used as a source |
| | | # port for non-FTP connecions from this host or machines using it as a gateway |
| | | ${IPCHAINS} -A ${chain} -p tcp -d 0.0.0.0/0 ${serv} -y -j ${REJECT_METHOD} ${LOG_FLAG} |
| | | done |
| | | # FEATURE: check bound high TCP and complain? |
| | | # Step 2: allow the ftp-data connections |
| | | ${IPCHAINS} -A ${chain} -p tcp -d 0.0.0.0/0 1024: -s 0.0.0.0/0 ftp-data -j ACCEPT |
| | | fi |
| | | |
| | | # general response to my TCP requests |
| | | ${IPCHAINS} -A ${chain} -p tcp \! -y -j ACCEPT |
| | | |
| | | # no TCP requests to other ports (redundant) |
| | | # ${IPCHAINS} -A ${chain} -p tcp -j ${REJECT_METHOD} ${LOG_FLAG} |
| | | |
| | | # --------------------- UDP -------------------------- |
| | | for serv in ${UDP_PUBLIC_SERVICES} ; do |
| | | ${IPCHAINS} -A PUB_IN -p udp -d 0.0.0.0/0 ${serv} -j ACCEPT |
| | | done |
| | | |
| | | # This isn't necessary unless you have DNS_SERVERS or NTP_SERVERS |
| | | # but who wouldn't have DNS servers configured? |
| | | for serv in ${UDP_BLOCKED_SERVICES} ; do |
| | | ${IPCHAINS} -A ${chain} -p udp -d 0.0.0.0/0 ${serv} -j ${REJECT_METHOD} ${LOG_FLAG} |
| | | done |
| | | |
| | | for dns_net in ${DNS_SERVERS} ; do |
| | | ${IPCHAINS} -A ${chain} -p udp -s ${dns_net} domain -d 0.0.0.0/0 1024: -j ACCEPT |
| | | done |
| | | |
| | | for ntp_net in ${ntp_server_addrs} ; do |
| | | # this allows unprivileged queries, e.g. 'ntpdate' |
| | | ${IPCHAINS} -A ${chain} -p udp -s ${ntp_net} ntp -d 0.0.0.0/0 1024: -j ACCEPT |
| | | # this allows you to run an ntp daemon to maintain |
| | | # system time nore gracefully than with 'ntpdate' |
| | | ${IPCHAINS} -A ${chain} -p udp -s ${ntp_net} ntp -d 0.0.0.0/0 ntp -j ACCEPT |
| | | done |
| | | # Reject other UDP (redundant) |
| | | #${IPCHAINS} -A ${chain} -p udp -j ${REJECT_METHOD} ${LOG_FLAG} |
| | | done |
| | | |
| | | |
| | | # end of loop through public interfaces for input rules |
| | | |
| | | if [ ${FORCE_PASV_FTP} != "Y" -a \( -n "${PUBLIC_IFACES}" -o -n "${INTERNAL_IFACES}" \) ]; then |
| | | # warning |
| | | echo |
| | | echo "WARNING: allowing \"active\" FTP; any unknown TCP services running" |
| | | echo "on high ports will be vulnerable; blocking too many high TCP ports" |
| | | echo "may affect various TCP _clients_ running on this machine or using" |
| | | echo "this machine as a gateway." |
| | | fi |
| | | |
| | | # now we can deny the attempts from the internal interfaces to this host |
| | | for tnet in ${LOCAL_ADDRESSES} ; do |
| | | for chain in PUB_IN INT_IN ; do |
| | | ${IPCHAINS} -A ${chain} -d ${tnet} -j ${REJECT_METHOD} ${LOG_FLAG} |
| | | done |
| | | done |
| | | # now that we've blocked attempts from the internal interfaces |
| | | # to the IP's on this server, we need to accept other connections |
| | | # so the IP Masq / NAT will function |
| | | for net in ${IP_MASQ_NETWORK} ; do |
| | | for chain in PUB_IN INT_IN ; do |
| | | ${IPCHAINS} -A ${chain} -s ${net} -j ACCEPT |
| | | done |
| | | done |
| | | |
| | | # --------------------- catch-all -------------------------- |
| | | # Reject all other traffic (redundant if not logging) |
| | | if [ ${LOG_FAILURES} = "Y" ]; then |
| | | for chain in input forward PUB_IN INT_IN ; do |
| | | ${IPCHAINS} -A ${chain} -j ${REJECT_METHOD} ${LOG_FLAG} |
| | | done |
| | | fi |
| | | |
| | | # |
| | | echo " done." |
| | | |
| | | echo -n "Setting up outbound rules..." |
| | | |
| | | include_supplemental pre-output |
| | | |
| | | # block outbound ICMP types (usu. to hide from traceroute) |
| | | for type in ${ICMP_OUTBOUND_DISABLED_TYPES} ; do |
| | | # ** The following will limit ICMP on public and internal interfaces: |
| | | # for chain in PUB_OUT INT_OUT ; do |
| | | # ** but our default is to only limit outbound ICMP on public interfaces |
| | | for chain in PUB_OUT ; do |
| | | ${IPCHAINS} -A ${chain} -p icmp --icmp-type ${type} -j REJECT ${LOG_FLAG} |
| | | done |
| | | done |
| | | # |
| | | # Here you might really lock things down if this is a server, |
| | | # e.g., to keep it from doing anything but connecting to |
| | | # SMTP servers and responding to Web requests, or whatever |
| | | # the specific requirements are. |
| | | # |
| | | # Such lockdowns are recommended if the situation affords you |
| | | # that flexibility. |
| | | # |
| | | # default is to enable outbound traffic |
| | | # (again, here, for a server you might default to ${REJECT_METHOD} ) |
| | | ${IPCHAINS} -P output ACCEPT |
| | | |
| | | include_supplemental pre-policy-reset |
| | | |
| | | # Now that all rules are set, we can change the policies |
| | | # to the user preference safely |
| | | ${IPCHAINS} -P forward ${REJECT_METHOD} |
| | | ${IPCHAINS} -P input ${REJECT_METHOD} |
| | | # to set default "policies" for PUB_* and INT_* chains, add a final rule |
| | | if [ ${LOG_FAILURES} != "Y" ]; then |
| | | # if LOG_FAILURES were set, we would have already done this |
| | | for chain in PUB_IN INT_IN ; do |
| | | ${IPCHAINS} -A ${chain} -j ${REJECT_METHOD} ${LOG_FLAG} |
| | | done |
| | | fi |
| | | for chain in PUB_OUT INT_OUT ; do |
| | | ${IPCHAINS} -A ${chain} -j ACCEPT |
| | | done |
| | | # rule 1 in all of these chains is a deny rule; remove it so other rules work |
| | | for chain in PUB_IN INT_IN PUB_OUT INT_OUT ; do |
| | | ${IPCHAINS} -D ${chain} -j DENY |
| | | done |
| | | |
| | | include_supplemental post-rule-setup |
| | | |
| | | echo " done." |
| | | |
| | | ;; |
| | | stop) |
| | | include_supplemental pre-drop-rules |
| | | echo |
| | | echo "WARNING: reverting to default settings (dropping firewall)" |
| | | # We should disable NAT/forwarding even if not set to restore defaults |
| | | echo -n "disabling IP forwarding..." |
| | | echo 0 > /proc/sys/net/ipv4/ip_forward |
| | | echo " done." |
| | | echo -n "unloading masquerading modules..." |
| | | do_masq_mods unload |
| | | echo " done." |
| | | # flushing seems to leave the default input at ${REJECT_METHOD} |
| | | echo -n "resetting default input rules to accept..." |
| | | ${IPCHAINS} -P input ACCEPT |
| | | echo " done." |
| | | echo -n "resetting default output rule to accept..." |
| | | ${IPCHAINS} -P output ACCEPT |
| | | echo " done." |
| | | # We disabled forwarding with the /proc interface, but we |
| | | # reset FORWARD to ACCEPT because that;s the normal default |
| | | echo -n "resetting default forward rule to accept..." |
| | | ${IPCHAINS} -P forward ACCEPT |
| | | echo " done." |
| | | for chain in input output forward ; do |
| | | echo -n "flushing ${chain} rules..." |
| | | ${IPCHAINS} -F ${chain} |
| | | echo " done." |
| | | done |
| | | # flush and delete the user-defined chains |
| | | echo -n "removing user-defined chains..." |
| | | for chain in PUB_IN PUB_OUT INT_IN INT_OUT ; do |
| | | ${IPCHAINS} -F ${chain} |
| | | ${IPCHAINS} -X ${chain} |
| | | done |
| | | include_supplemental post-drop-rules |
| | | echo " done." |
| | | ;; |
| | | status) |
| | | ${IPCHAINS} -L -v -n |
| | | ;; |
| | | *) |
| | | echo "Usage: $0 {start|restart|reload|stop|status}" |
| | | exit 1 |
| | | esac |
| | | |
| | | exit 0 |
| | | |
New file |
| | |
| | | #!/bin/sh |
| | | # |
| | | # /sbin/bastille-netfilter Load/unload netfilter rulesets |
| | | # |
| | | # $Source: /cvsroot/bastille-linux/dev/working_tree/Bastille/bastille-netfilter,v $ |
| | | # Modified by: $Author: peterw $ |
| | | # $Date: 2002/01/11 02:23:14 $ |
| | | # $Revision: 1.27 $ |
| | | # |
| | | # Copyright (C) 1999-2001 Peter Watkins |
| | | # |
| | | # This program is distributed in the hope that it will be useful, |
| | | # but WITHOUT ANY WARRANTY; without even the implied warranty of |
| | | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| | | # GNU General Public License for more details. |
| | | # |
| | | # You should have received a copy of the GNU General Public License |
| | | # along with this program; if not, write to the Free Software |
| | | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
| | | # |
| | | # Thanks to David Ranch, Brad A, Don G, Jay Beale and others |
| | | # (especially the netfilter mailing list!) for their suggestions |
| | | # |
| | | # This script is designed to be called BY a SysV-style init script. |
| | | # |
| | | # It should be run with a "start" argument |
| | | # 1) BY an rc?.d "S" script, _before_ the "network" script |
| | | # (normally via the "bastille-firewall" init script; |
| | | # as of 2001/02/14, the only purpose of bastille-firewall |
| | | # is to start this script) |
| | | # 2) any time an interface is brought up or changed, e.g. |
| | | # establishing a PPP conection or renewing a DHCP lease |
| | | # [also copy 'bastille-firewall-reset', 'bastille-firewall-schedule' and |
| | | # 'ifup-local' to /sbin/ (in addition to the bastille-firewall init script] |
| | | # |
| | | # Normally you Do Not _Ever_ Want to run this with a "stop" argument! |
| | | # |
| | | # Note that running this with "stop" will disable the firewall and open |
| | | # your system to all network traffic; if you make changes to these rules, |
| | | # apply them by running the script again with a "start" argument. |
| | | |
| | | PATH=/bin:/sbin:/usr/bin:/usr/sbin |
| | | IPTABLES=/sbin/iptables |
| | | CONFIG=/etc/Bastille/bastille-firewall.cfg |
| | | |
| | | if [ ! -x ${IPTABLES} ]; then |
| | | echo "ERROR: \"${IPTABLES}\" does not exist!" |
| | | if [ -x /sbin/bastille-ipchains ]; then |
| | | # better to fall back to 'ipchains' than do nothing |
| | | unset IPTABLES |
| | | echo "Executing /sbin/bastille-ipchains $1" |
| | | /sbin/bastille-ipchains $1 |
| | | exit $? |
| | | fi |
| | | exit 1 |
| | | fi |
| | | |
| | | if [ ! -f ${CONFIG} ]; then |
| | | echo "ERROR: unable to read configuration file \"${CONFIG}\"" |
| | | exit 1 |
| | | fi |
| | | |
| | | # source the configuration file, which will set environment variables |
| | | . ${CONFIG} |
| | | |
| | | if [ -z "${REJECT_METHOD}" ]; then |
| | | echo "ERROR: no reject method specified (corrupt config file?) Exiting!" |
| | | exit 1 |
| | | fi |
| | | |
| | | |
| | | # |
| | | # Computed values |
| | | # |
| | | # These things should be queried/computed at run time |
| | | # |
| | | # LOCAL_ADDRESSES |
| | | # |
| | | # LOCAL_ADDRESSES lists all IP addresses for this server |
| | | # (for the INTERNAL_SERVICES rules); if you have virtual |
| | | # network devices, you may want to hand-code this, e.g. |
| | | # LOCAL_ADDRESSES="127.0.0.0/8" |
| | | # |
| | | # The following makes a list of all current IP addresses |
| | | LOCAL_ADDRESSES=`ifconfig | grep "inet addr" | awk '{print $2}' | awk -F: '{print $2"/32"}' | sed s:127\.0\.0\.1/32:127.0.0.1/8: ` |
| | | # |
| | | # |
| | | # DEFAULT_GW_IFACE |
| | | # |
| | | # The name of the address that is the default gateway (for SNAT) |
| | | DEFAULT_GW_IFACE=`netstat -nr | awk '$1 == "0.0.0.0" {print $8}'` |
| | | # |
| | | # |
| | | # INTERNAL_NETWORKS |
| | | # |
| | | # INTERNAL_NETWORKS lists the masked networks for the INT_INTERFACES |
| | | # e.g. INTERNAL_NETWORKS="10.0.0.0/255.0.0.0" |
| | | # The following makes a list of all current internal IP addresses _with netmasks_ |
| | | for i in ${INTERNAL_IFACES} ; do |
| | | INTERNAL_NETWORKS="${INTERNAL_NETWORKS} `ifconfig ${i} | grep "inet addr" | awk '{print $2":"$4}' | awk -F: '{print $2"/"$4}' | sed 's:127\.0\.0\.1/$:127.0.0.1/8:'`" |
| | | if [ $i = "${DEFAULT_GW_IFACE}" ]; then |
| | | DEFAULT_GW_IP=`ifconfig ${i} | grep "inet addr" | awk '{print $2}'` |
| | | fi |
| | | done |
| | | # |
| | | # |
| | | # CALLED_METHOD |
| | | # |
| | | # Variable to hold $1, for use in functions (which have their own $1 vars) |
| | | CALLED_METHOD="$1" |
| | | # |
| | | # |
| | | # REJECT_METHOD |
| | | # |
| | | # Convert ipchains/DENY to netfilter/DROP |
| | | if [ "${REJECT_METHOD}" = "DENY" ]; then |
| | | REJECT_METHOD="DROP" |
| | | fi |
| | | |
| | | # counter number to help toubleshoot |
| | | RULENUM=0 |
| | | |
| | | # |
| | | # Shell functions |
| | | # |
| | | # include_supplemental |
| | | # source supplemental (plug-in) firewall scripts |
| | | include_supplemental() |
| | | { |
| | | # args: $1 = nickname for the supplemental phase |
| | | nickname="$1" |
| | | if [ -e /etc/Bastille/firewall.d/${nickname}.sh ]; then |
| | | cd /etc/Bastille/firewall.d && . ./${nickname}.sh |
| | | fi |
| | | if [ -d /etc/Bastille/firewall.d/${nickname}.d ]; then |
| | | for s in `ls /etc/Bastille/firewall.d/${nickname}.d/*.sh`; do |
| | | cd /etc/Bastille/firewall.d/${nickname}.d && \ |
| | | . ${s} |
| | | done |
| | | fi |
| | | } |
| | | # |
| | | # incr_rule_num |
| | | # Increment counter number to help toubleshoot |
| | | incr_rule_num() |
| | | { |
| | | RULENUM=`expr $RULENUM + 1` |
| | | return 0 |
| | | } |
| | | # |
| | | # do_masq_mods |
| | | # Function to load/unload NAT kernel modules |
| | | do_masq_mods() |
| | | { |
| | | # args: $1 = "load" or "unload" |
| | | # |
| | | # find the currently loaded modules |
| | | masq_mods=`lsmod | awk '{print $1}' | grep '^ip_nat_'` |
| | | # |
| | | # Step 1: unload unwanted modules |
| | | for m in ${masq_mods} ; do |
| | | UNLOAD_THIS_MOD=Y |
| | | for normal_mod in ${IP_MASQ_MODULES} ; do |
| | | if [ "ip_nat_${normal_mod}" = $m -o "ip_nat_${normal_mod}_conntrack" = $m ]; then |
| | | # this module is _supposed_ to be loaded |
| | | UNLOAD_THIS_MOD=N |
| | | fi |
| | | done |
| | | if [ "${CALLED_METHOD}" = "stop" -o -z "${IP_MASQ_NETWORK}" ]; then |
| | | # we're either disabling the firewall or we've disabled masquerading, |
| | | # so we should unload _all_ masq modules |
| | | UNLOAD_THIS_MOD=Y |
| | | fi |
| | | if [ $UNLOAD_THIS_MOD = "Y" -a $1 = "unload" ]; then |
| | | rmmod ${m} || echo "Error unloading ${m} module" |
| | | fi |
| | | done |
| | | # Step 2: load wanted modules that are not already loaded |
| | | if [ $1 = "load" ]; then |
| | | for normal_mod in ${IP_MASQ_MODULES} ; do |
| | | MOD_LOADED=N |
| | | for m in ${masq_mods} ; do |
| | | if [ "ip_nat_${normal_mod}" = $m ]; then |
| | | MOD_LOADED=Y |
| | | fi |
| | | done |
| | | if [ $MOD_LOADED = "N" ]; then |
| | | insmod "ip_nat_${normal_mod}" || echo "Error loading ip_nat_${normal_mod} module" |
| | | fi |
| | | # try to load any _conntrack variants |
| | | modprobe "ip_nat_${normal_mod}_conntrack" 2>/dev/null |
| | | done |
| | | fi |
| | | } |
| | | |
| | | # See how we were called. |
| | | case "$1" in |
| | | start|restart|reload) |
| | | # |
| | | # anything to do before resetting? |
| | | include_supplemental pre-reset |
| | | # |
| | | # Make sure we don't have any ipchains rules! |
| | | for c in INPUT OUTPUT FORWARD; do |
| | | ipchains -P ${c} DENY 2>/dev/null |
| | | ipchains -F ${c} 2>/dev/null |
| | | done |
| | | ipchains -X 2>/dev/null |
| | | rmmod ipchains 2>/dev/null |
| | | # |
| | | # For Red Hat users, let's ensure that its firewalls are disabled |
| | | rhtest_ipchains=`chkconfig --list ipchains 2>/dev/null | grep :on` |
| | | rhtest_iptables=`chkconfig --list iptables 2>/dev/null | grep :on` |
| | | bftest=`chkconfig --list bastille-firewall 2>/dev/null | grep :on` |
| | | if [ \( -n "${rhtest_ipchains}" -o -n "${rhtest_iptables}" \) -a -n "${bftest}" ]; then |
| | | echo |
| | | echo "bastille-firewall conflicts with Red Hat 7.1's 'ipchains'" |
| | | echo "and 'iptables' firewalls. We are disabling Red Hat's firewalls." |
| | | [ -n "${rhtest_ipchains}" ] && chkconfig --level 0123456 ipchains off |
| | | [ -n "${rhtest_iptables}" ] && chkconfig --level 0123456 iptables off |
| | | echo |
| | | fi |
| | | # |
| | | # Make sure the iptables/netfilter kernel module is loaded |
| | | modprobe ip_tables |
| | | # |
| | | # Clean up the default chains |
| | | # |
| | | # we set defaults to DROP to minimize possible interruptions |
| | | # if this script is re-run to reset rules |
| | | # |
| | | for chain in INPUT OUTPUT FORWARD ; do |
| | | ${IPTABLES} -P ${chain} DROP |
| | | # flush rules |
| | | ${IPTABLES} -F ${chain} |
| | | done |
| | | # |
| | | for chain in PREROUTING POSTROUTING ; do |
| | | ${IPTABLES} -t nat -F ${chain} |
| | | done |
| | | ${IPTABLES} -t mangle -F PREROUTING |
| | | # Our custom chains |
| | | for chain in PUB_IN PUB_OUT INT_IN INT_OUT ; do |
| | | ${IPTABLES} -N ${chain} 2> /dev/null |
| | | ${IPTABLES} -F ${chain} |
| | | ${IPTABLES} -A ${chain} -j DROP |
| | | done |
| | | |
| | | # PAROLE chain is used for TCP services |
| | | ${IPTABLES} -N PAROLE 2> /dev/null |
| | | ${IPTABLES} -F PAROLE |
| | | if [ "${IP_ALWAYS_USE_STATE}" = "Y" ]; then |
| | | # nmap NULL scans pass the --syn test, but this doesn't seem |
| | | # to catch them, either |
| | | [ "${LOG_FAILURES}" = "Y" ] && \ |
| | | ${IPTABLES} -A PAROLE -p tcp --tcp-flags ALL NONE -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "PAROLE ${REJECT_METHOD} $RULENUM" ; incr_rule_num |
| | | ${IPTABLES} -A PAROLE -p tcp --tcp-flags ALL NONE -j ${REJECT_METHOD} |
| | | ${IPTABLES} -A PAROLE -p tcp -m state --state NEW --syn -j ACCEPT |
| | | [ "${LOG_FAILURES}" = "Y" ] && \ |
| | | ${IPTABLES} -A PAROLE -p tcp -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "PAROLE ${REJECT_METHOD} $RULENUM" ; incr_rule_num |
| | | ${IPTABLES} -A PAROLE -p tcp -j ${REJECT_METHOD} |
| | | fi |
| | | ${IPTABLES} -A PAROLE -j ACCEPT |
| | | |
| | | # Run our "early" custom script if it exists |
| | | [ -f /etc/Bastille/bastille-firewall-early.sh ] && . /etc/Bastille/bastille-firewall-early.sh |
| | | |
| | | # any new-style "early" plugins? |
| | | include_supplemental early |
| | | |
| | | # enable stateful rules |
| | | modprobe ip_conntrack |
| | | modprobe ip_conntrack_ftp |
| | | modprobe ipt_LOG |
| | | |
| | | # from the ipchains HOWTO |
| | | if [ "${ENABLE_SRC_ADDR_VERIFY}" = "Y" ]; then |
| | | if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then |
| | | echo -n "Setting up IP spoofing protection..." |
| | | for f in /proc/sys/net/ipv4/conf/*/rp_filter; do |
| | | echo 1 > $f |
| | | done |
| | | echo " done." |
| | | else |
| | | echo "WARNING: errors encountered while trying to enable IP spoofing protection!" |
| | | fi |
| | | fi |
| | | |
| | | include_supplemental pre-local-block |
| | | |
| | | # Block any non-local attempts to get localhost addresses |
| | | # per woody@thebunker.net's bugtraq post |
| | | [ "${LOG_FAILURES}" = "Y" ] && \ |
| | | ${IPTABLES} -A INPUT -p tcp -d 127.0.0.0/8 ! -i lo -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "INPUT ${REJECT_METHOD} $RULENUM" ; incr_rule_num |
| | | ${IPTABLES} -A INPUT -p tcp -d 127.0.0.0/8 ! -i lo -j ${REJECT_METHOD} |
| | | |
| | | # Uncomment this to really, truly block active FTP |
| | | # (shouldn't be necessary if ip_conntrack_ftp does its job) |
| | | #if [ ${FORCE_PASV_FTP} = "Y" ]; then |
| | | # [ "${LOG_FAILURES}" = "Y" ] && \ |
| | | # ${IPTABLES} -A INPUT -p tcp --sport ftp-data -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "INPUT ${REJECT_METHOD} $RULENUM " ; incr_rule_num |
| | | # ${IPTABLES} -A INPUT -p tcp --sport ftp-data -j ${REJECT_METHOD} |
| | | # [ "${LOG_FAILURES}" = "Y" ] && \ |
| | | # ${IPTABLES} -A FORWARD -p tcp --sport ftp-data -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "FORWARD ${REJECT_METHOD} $RULENUM " ; incr_rule_num |
| | | # ${IPTABLES} -A FORWARD -p tcp --sport ftp-data -j ${REJECT_METHOD} |
| | | #fi |
| | | |
| | | include_supplemental pre-established |
| | | |
| | | # Stateful data returns (this should include ICMP messages) |
| | | # ...for data to this box |
| | | ${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
| | | ${IPTABLES} -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT |
| | | |
| | | # Fragments |
| | | if [ "${ALLOW_FRAGMENTS}" = "N" ]; then |
| | | [ "${LOG_FAILURES}" = "Y" ] && \ |
| | | ${IPTABLES} -A INPUT -f -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "INPUT ${REJECT_METHOD} $RULENUM " ; incr_rule_num |
| | | ${IPTABLES} -A INPUT -f -j ${REJECT_METHOD} |
| | | fi |
| | | |
| | | include_supplemental pre-trusted |
| | | |
| | | # Allow all traffic from trusted interfaces |
| | | echo -n "Allowing traffic from trusted interfaces..." |
| | | for t_iface in ${TRUSTED_IFACES} ; do |
| | | # we could be pickier here, e.g. only allow traffic |
| | | # that looks valid |
| | | ${IPTABLES} -A INPUT -i ${t_iface} -j ACCEPT |
| | | done |
| | | echo " done. " |
| | | |
| | | # If you have networks that route traffic to each other through this |
| | | # server, you may want to add some forwarding rules, here, e.g. |
| | | # one way, 192.168.*.* -> 10.*.*.* with 192.168.*.* on "eth0" |
| | | # |
| | | # Note: I _think_ this is right; if not, please let me know! |
| | | # |
| | | #${IPTABLES} -A FORWARD -i eth0 -s 192.168.0.0/16 -d 10.0.0.0/8 -j ACCEPT |
| | | # the other direction, 10.*.*.* -> 192.168.*.* with 10.*.*.* on "eth1" |
| | | #${IPTABLES} -A FORWARD -i eth1 -d 192.168.0.0/16 -s 10.0.0.0/8 -j ACCEPT |
| | | |
| | | include_supplemental pre-mcast-block |
| | | |
| | | # No packets with multicast source addresses (Joshua K, RFC 1122) |
| | | # (If you want to enable multicast, comment this out!) |
| | | [ "${LOG_FAILURES}" = "Y" ] && \ |
| | | ${IPTABLES} -A INPUT -s 224.0.0.0/4 -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "INPUT ${REJECT_METHOD} $RULENUM " ; incr_rule_num |
| | | ${IPTABLES} -A INPUT -s 224.0.0.0/4 -j ${REJECT_METHOD} |
| | | |
| | | # Forwarding |
| | | |
| | | include_supplemental pre-nat |
| | | |
| | | # IP Masquerading/forwarding |
| | | # |
| | | # Unload masq modules (maybe we're disabling masquerading, maybe we changed the module list) |
| | | #do_masq_mods unload |
| | | # |
| | | if [ -n "${IP_MASQ_NETWORK}" ]; then |
| | | echo -n "Loading NAT modules..." |
| | | modprobe iptable_nat |
| | | echo " done." |
| | | echo -n "Setting up masquerading rules..." |
| | | # since we've set the default forwarding policy to |
| | | # reject, we can enable forwarding now |
| | | echo 1 > /proc/sys/net/ipv4/ip_forward |
| | | # set up rules for masqueraded networks |
| | | for net in ${IP_MASQ_NETWORK} ; do |
| | | for pub in ${PUBLIC_IFACES} ; do |
| | | # NAT should be one-way, deny traffic from public |
| | | # interfaces that is addresses to masq'ed networks |
| | | [ "${LOG_FAILURES}" = "Y" ] && \ |
| | | ${IPTABLES} -A INPUT -d ${net} -i ${pub} -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "INPUT ${REJECT_METHOD} $RULENUM " ; incr_rule_num |
| | | ${IPTABLES} -A INPUT -d ${net} -i ${pub} -j ${REJECT_METHOD} |
| | | # spoofed addreses from outside |
| | | [ "${LOG_FAILURES}" = "Y" ] && \ |
| | | ${IPTABLES} -A INPUT -s ${net} -i ${pub} -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "INPUT ${REJECT_METHOD} $RULENUM " ; incr_rule_num |
| | | ${IPTABLES} -A INPUT -s ${net} -i ${pub} -j ${REJECT_METHOD} |
| | | if [ "${DROP_SMB_NAT_BCAST}" = "Y" ]; then |
| | | # NetBIOS |
| | | [ "${LOG_FAILURES}" = "Y" ] && \ |
| | | ${IPTABLES} -A FORWARD -p tcp -s ${net} -o ${pub} --dport 137:139 -d 0.0.0.255/0.0.0.255 -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "FORWARD ${REJECT_METHOD} $RULENUM " ; incr_rule_num |
| | | ${IPTABLES} -A FORWARD -p tcp -s ${net} -o ${pub} --dport 137:139 -d 0.0.0.255/0.0.0.255 -j ${REJECT_METHOD} |
| | | [ "${LOG_FAILURES}" = "Y" ] && \ |
| | | ${IPTABLES} -A FORWARD -p udp -s ${net} -o ${pub} --dport 137:139 -d 0.0.0.255/0.0.0.255 -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "FORWARD ${REJECT_METHOD} $RULENUM " ; incr_rule_num |
| | | ${IPTABLES} -A FORWARD -p udp -s ${net} -o ${pub} --dport 137:139 -d 0.0.0.255/0.0.0.255 -j ${REJECT_METHOD} |
| | | fi |
| | | # set up a NAT rule with MASQ -- se below for SNAT |
| | | ${IPTABLES} -t nat -A POSTROUTING -s ${net} -o ${pub} -j MASQUERADE |
| | | ${IPTABLES} -A FORWARD -s ${net} -o ${pub} -j ACCEPT |
| | | done |
| | | done |
| | | # If you have a statuc address for the public interface, |
| | | # you might prefer setting upp static NAT instead of the |
| | | # -j MASQUERADE code above: |
| | | #${IPTABLES} -t nat -A POSTROUTING -o ${DEFAULT_GW_IFACE} -j SNAT --to ${DEFAULT_GW_IP} |
| | | echo " done." |
| | | echo -n "Loading masquerading modules..." |
| | | do_masq_mods load |
| | | echo " done." |
| | | fi |
| | | |
| | | include_supplemental pre-chain-split |
| | | |
| | | echo -n "Setting up chains for public/internal interface traffic..." |
| | | |
| | | # Direct PUBLIC interface traffic to the proper chain |
| | | for iface in ${PUBLIC_IFACES} ; do |
| | | ${IPTABLES} -A INPUT -i ${iface} -j PUB_IN |
| | | ${IPTABLES} -A OUTPUT -o ${iface} -j PUB_OUT |
| | | done |
| | | |
| | | |
| | | # disallow any attempts to get to internal interfaces from outside |
| | | # not good if this is supposed to route between normal networks |
| | | for int in ${INTERNAL_NETWORKS} ; do |
| | | # deny traffic from public |
| | | # interfaces that is addressed to internal networks |
| | | [ "${LOG_FAILURES}" = "Y" ] && \ |
| | | ${IPTABLES} -A PUB_IN -d ${int} -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "PUB_IN ${REJECT_METHOD} $RULENUM " ; incr_rule_num |
| | | ${IPTABLES} -A PUB_IN -d ${int} -j ${REJECT_METHOD} |
| | | # spoofed addreses from outside |
| | | [ "${LOG_FAILURES}" = "Y" ] && \ |
| | | ${IPTABLES} -A PUB_IN -s ${int} -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "PUB_IN ${REJECT_METHOD} $RULENUM " ; incr_rule_num |
| | | ${IPTABLES} -A PUB_IN -s ${int} -j ${REJECT_METHOD} |
| | | done |
| | | |
| | | # direct packets to the INTERNAL_* chains |
| | | for iface in ${INTERNAL_IFACES} ; do |
| | | ${IPTABLES} -A INPUT -i ${iface} -j INT_IN |
| | | ${IPTABLES} -A OUTPUT -o ${iface} -j INT_OUT |
| | | done |
| | | echo " done. " |
| | | |
| | | echo -n "Setting up general rules..." |
| | | |
| | | include_supplemental pre-dhcp |
| | | |
| | | # Allow response from DHCP servers |
| | | for iface in ${DHCP_IFACES} ; do |
| | | # make link so dhcpcd runs firewall when IP changes (if no such file already) |
| | | [ ! -d /etc/dhcpc ] && mkdir /etc/dhcpc -m 0750 |
| | | if [ -x /sbin/bastille-firewall-reset -a ! -L /etc/dhcpc/dhcpcd-${iface}.exe ]; then |
| | | ln -s /sbin/bastille-firewall-reset /etc/dhcpc/dhcpcd-${iface}.exe |
| | | fi |
| | | done |
| | | |
| | | include_supplemental pre-internal |
| | | |
| | | # internal interface rules |
| | | # Allow accessses to TCP services on this system |
| | | for serv in ${TCP_INTERNAL_SERVICES} ; do |
| | | ${IPTABLES} -A INT_IN -p tcp --dport ${serv} -j PAROLE |
| | | done |
| | | # UDP services |
| | | for serv in ${UDP_INTERNAL_SERVICES} ; do |
| | | ${IPTABLES} -A INT_IN -p udp --dport ${serv} -j ACCEPT |
| | | done |
| | | # ICMP |
| | | # hopefully you don't care about hiding from internal hosts! |
| | | ${IPTABLES} -A INT_IN -p icmp -j ACCEPT |
| | | ${IPTABLES} -A INT_OUT -p icmp -j ACCEPT |
| | | # ...but if you do... try this... (and see the PUB_IN rules below) |
| | | #for type in ${ICMP_ALLOWED_TYPES} ; do |
| | | # ${IPTABLES} -A INT_IN -p icmp --icmp-type ${type} -j ACCEPT |
| | | #done |
| | | |
| | | include_supplemental pre-input |
| | | |
| | | # input rules |
| | | # |
| | | # public interfaces |
| | | |
| | | # --------------------- ICMP -------------------------- |
| | | for type in ${ICMP_ALLOWED_TYPES} ; do |
| | | ${IPTABLES} -A PUB_IN -p icmp --icmp-type ${type} -j ACCEPT |
| | | done |
| | | |
| | | # --------------------- TCP -------------------------- |
| | | for serv in ${TCP_PUBLIC_SERVICES} ; do |
| | | ${IPTABLES} -A PUB_IN -p tcp --dport ${serv} -j PAROLE |
| | | done |
| | | |
| | | # --------------------- UDP -------------------------- |
| | | for serv in ${UDP_PUBLIC_SERVICES} ; do |
| | | ${IPTABLES} -A PUB_IN -p udp --dport ${serv} -j ACCEPT |
| | | done |
| | | |
| | | include_supplemental pre-audit |
| | | |
| | | # -------------- Public interface input auditing --------------- |
| | | # Note that this will only audit services that are not actually available |
| | | # |
| | | for service in ${TCP_AUDIT_SERVICES} ; do |
| | | ${IPTABLES} -A PUB_IN -p tcp --dport ${service} -m state --state NEW,INVALID -m limit --limit 5/second --limit-burst 8 -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "audit" |
| | | done |
| | | for service in ${UDP_AUDIT_SERVICES} ; do |
| | | ${IPTABLES} -A PUB_IN -p udp --dport ${service} -m state --state NEW,INVALID -m limit --limit 5/second --limit-burst 8 -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "audit" |
| | | done |
| | | for type in ${ICMP_AUDIT_TYPES} ; do |
| | | ${IPTABLES} -A PUB_IN -p icmp --icmp-type ${type} -m state --state NEW,INVALID -m limit --limit 5/second --limit-burst 8 -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "audit" |
| | | done |
| | | |
| | | # if you're disallowing ICMP, you may be trying to look |
| | | # invisible/disable ping, so let's just drop these attempts |
| | | [ "${LOG_FAILURES}" = "Y" ] && \ |
| | | ${IPTABLES} -A PUB_IN -p icmp -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "PUB_IN DROP $RULENUM" ; incr_rule_num |
| | | ${IPTABLES} -A PUB_IN -p icmp -j DROP |
| | | |
| | | # --------------------- catch-all -------------------------- |
| | | # Reject all other traffic (redundant if not logging) |
| | | if [ ${LOG_FAILURES} = "Y" ]; then |
| | | for chain in INPUT PUB_IN INT_IN ; do |
| | | [ "${LOG_FAILURES}" = "Y" ] && \ |
| | | ${IPTABLES} -A ${chain} -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "${chain} ${REJECT_METHOD} $RULENUM " ; incr_rule_num |
| | | ${IPTABLES} -A ${chain} -j ${REJECT_METHOD} |
| | | done |
| | | fi |
| | | |
| | | # |
| | | echo " done." |
| | | |
| | | include_supplemental pre-output |
| | | |
| | | echo -n "Setting up outbound rules..." |
| | | # |
| | | # Here you might really lock things down if this is a server, |
| | | # e.g., to keep it from doing anything but connecting to |
| | | # SMTP servers and responding to Web requests, or whatever |
| | | # the specific requirements are. |
| | | # |
| | | # Such lockdowns are recommended if the situation affords you |
| | | # that flexibility. |
| | | # |
| | | # If you want to only allow the server to respond to requests |
| | | # (and not even make DNS/dhcp/ntp queries!), then uncomment these lines: |
| | | # # Note: if the connection table fills, you won't be able to |
| | | # # respond to requests if you rely on "-m state" with these rules |
| | | # ${IPTABLES} -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
| | | # [ ${LOG_FAILURES} = "Y" ] && \ |
| | | # ${IPTABLES} -A OUTPUT -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "OUTPUT ${REJECT_METHOD} $RULENUM " ; incr_rule_num |
| | | # ${IPTABLES} -A OUTPUT -j REJECT |
| | | # |
| | | # default is to enable outbound traffic |
| | | ${IPTABLES} -P OUTPUT ACCEPT |
| | | |
| | | include_supplemental pre-policy-reset |
| | | |
| | | # Now that all rules are set, we can change the policies |
| | | # to the user preference safely |
| | | [ ${REJECT_METHOD} != "DROP" ] && ${IPTABLES} -A FORWARD -j ${REJECT_METHOD} |
| | | [ ${REJECT_METHOD} != "DROP" ] && ${IPTABLES} -A INPUT -j ${REJECT_METHOD} |
| | | # to set default "policies" for PUB_* and INT_* chains, add a final rule |
| | | if [ ${LOG_FAILURES} != "Y" ]; then |
| | | # if LOG_FAILURES were set, we would have already done this |
| | | for chain in PUB_IN INT_IN INPUT FORWARD; do |
| | | [ "${LOG_FAILURES}" = "Y" ] && \ |
| | | ${IPTABLES} -A ${chain} -j LOG --log-level ${IP_LOG_LEVEL} --log-prefix "${chain} ${REJECT_METHOD} $RULENUM " ; incr_rule_num |
| | | ${IPTABLES} -A ${chain} -j ${REJECT_METHOD} |
| | | done |
| | | fi |
| | | for chain in PUB_OUT INT_OUT ; do |
| | | ${IPTABLES} -A ${chain} -j ACCEPT |
| | | done |
| | | # rule 1 in all of these chains is a deny rule; remove it so other rules work |
| | | for chain in PUB_IN INT_IN PUB_OUT INT_OUT ; do |
| | | ${IPTABLES} -D ${chain} -j DROP |
| | | done |
| | | |
| | | include_supplemental post-rule-setup |
| | | |
| | | echo " done." |
| | | |
| | | ;; |
| | | stop) |
| | | include_supplemental pre-drop-rules |
| | | echo |
| | | echo "WARNING: reverting to default settings (dropping firewall)" |
| | | # We should disable NAT/forwarding even if not set to restore defaults |
| | | echo -n "disabling IP forwarding..." |
| | | echo 0 > /proc/sys/net/ipv4/ip_forward |
| | | echo " done." |
| | | echo -n "unloading masquerading modules..." |
| | | do_masq_mods unload |
| | | echo " done." |
| | | # flushing leaves the default input at ${REJECT_METHOD} |
| | | echo -n "resetting default input rules to accept..." |
| | | ${IPTABLES} -P INPUT ACCEPT |
| | | echo " done." |
| | | echo -n "resetting default output rule to accept..." |
| | | ${IPTABLES} -P OUTPUT ACCEPT |
| | | echo " done." |
| | | # We disabled forwarding with the /proc interface, but we |
| | | # reset FORWARD to ACCEPT because that;s the normal default |
| | | echo -n "resetting default forward rule to accept..." |
| | | ${IPTABLES} -P FORWARD ACCEPT |
| | | echo " done." |
| | | for chain in INPUT OUTPUT FORWARD ; do |
| | | echo -n "flushing ${chain} rules..." |
| | | ${IPTABLES} -F ${chain} |
| | | echo " done." |
| | | done |
| | | for chain in PREROUTING POSTROUTING ; do |
| | | ${IPTABLES} -t nat -F ${chain} |
| | | done |
| | | ${IPTABLES} -t mangle -F PREROUTING |
| | | # flush and delete the user-defined chains |
| | | echo -n "removing user-defined chains..." |
| | | for chain in PUB_IN PUB_OUT INT_IN INT_OUT PAROLE ; do |
| | | ${IPTABLES} -F ${chain} |
| | | ${IPTABLES} -X ${chain} |
| | | done |
| | | include_supplemental post-drop-rules |
| | | echo " done." |
| | | ;; |
| | | status) |
| | | ${IPTABLES} -L -v -n |
| | | ;; |
| | | *) |
| | | echo "Usage: $0 {start|restart|reload|stop|status}" |
| | | exit 1 |
| | | esac |
| | | |
| | | exit 0 |
| | | |
New file |
| | |
| | | GNU GENERAL PUBLIC LICENSE |
| | | Version 2, June 1991 |
| | | |
| | | Copyright (C) 1989, 1991 Free Software Foundation, Inc., |
| | | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA |
| | | Everyone is permitted to copy and distribute verbatim copies |
| | | of this license document, but changing it is not allowed. |
| | | |
| | | Preamble |
| | | |
| | | The licenses for most software are designed to take away your |
| | | freedom to share and change it. By contrast, the GNU General Public |
| | | License is intended to guarantee your freedom to share and change free |
| | | software--to make sure the software is free for all its users. This |
| | | General Public License applies to most of the Free Software |
| | | Foundation's software and to any other program whose authors commit to |
| | | using it. (Some other Free Software Foundation software is covered by |
| | | the GNU Lesser General Public License instead.) You can apply it to |
| | | your programs, too. |
| | | |
| | | When we speak of free software, we are referring to freedom, not |
| | | price. Our General Public Licenses are designed to make sure that you |
| | | have the freedom to distribute copies of free software (and charge for |
| | | this service if you wish), that you receive source code or can get it |
| | | if you want it, that you can change the software or use pieces of it |
| | | in new free programs; and that you know you can do these things. |
| | | |
| | | To protect your rights, we need to make restrictions that forbid |
| | | anyone to deny you these rights or to ask you to surrender the rights. |
| | | These restrictions translate to certain responsibilities for you if you |
| | | distribute copies of the software, or if you modify it. |
| | | |
| | | For example, if you distribute copies of such a program, whether |
| | | gratis or for a fee, you must give the recipients all the rights that |
| | | you have. You must make sure that they, too, receive or can get the |
| | | source code. And you must show them these terms so they know their |
| | | rights. |
| | | |
| | | We protect your rights with two steps: (1) copyright the software, and |
| | | (2) offer you this license which gives you legal permission to copy, |
| | | distribute and/or modify the software. |
| | | |
| | | Also, for each author's protection and ours, we want to make certain |
| | | that everyone understands that there is no warranty for this free |
| | | software. If the software is modified by someone else and passed on, we |
| | | want its recipients to know that what they have is not the original, so |
| | | that any problems introduced by others will not reflect on the original |
| | | authors' reputations. |
| | | |
| | | Finally, any free program is threatened constantly by software |
| | | patents. We wish to avoid the danger that redistributors of a free |
| | | program will individually obtain patent licenses, in effect making the |
| | | program proprietary. To prevent this, we have made it clear that any |
| | | patent must be licensed for everyone's free use or not licensed at all. |
| | | |
| | | The precise terms and conditions for copying, distribution and |
| | | modification follow. |
| | | |
| | | GNU GENERAL PUBLIC LICENSE |
| | | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION |
| | | |
| | | 0. This License applies to any program or other work which contains |
| | | a notice placed by the copyright holder saying it may be distributed |
| | | under the terms of this General Public License. The "Program", below, |
| | | refers to any such program or work, and a "work based on the Program" |
| | | means either the Program or any derivative work under copyright law: |
| | | that is to say, a work containing the Program or a portion of it, |
| | | either verbatim or with modifications and/or translated into another |
| | | language. (Hereinafter, translation is included without limitation in |
| | | the term "modification".) Each licensee is addressed as "you". |
| | | |
| | | Activities other than copying, distribution and modification are not |
| | | covered by this License; they are outside its scope. The act of |
| | | running the Program is not restricted, and the output from the Program |
| | | is covered only if its contents constitute a work based on the |
| | | Program (independent of having been made by running the Program). |
| | | Whether that is true depends on what the Program does. |
| | | |
| | | 1. You may copy and distribute verbatim copies of the Program's |
| | | source code as you receive it, in any medium, provided that you |
| | | conspicuously and appropriately publish on each copy an appropriate |
| | | copyright notice and disclaimer of warranty; keep intact all the |
| | | notices that refer to this License and to the absence of any warranty; |
| | | and give any other recipients of the Program a copy of this License |
| | | along with the Program. |
| | | |
| | | You may charge a fee for the physical act of transferring a copy, and |
| | | you may at your option offer warranty protection in exchange for a fee. |
| | | |
| | | 2. You may modify your copy or copies of the Program or any portion |
| | | of it, thus forming a work based on the Program, and copy and |
| | | distribute such modifications or work under the terms of Section 1 |
| | | above, provided that you also meet all of these conditions: |
| | | |
| | | a) You must cause the modified files to carry prominent notices |
| | | stating that you changed the files and the date of any change. |
| | | |
| | | b) You must cause any work that you distribute or publish, that in |
| | | whole or in part contains or is derived from the Program or any |
| | | part thereof, to be licensed as a whole at no charge to all third |
| | | parties under the terms of this License. |
| | | |
| | | c) If the modified program normally reads commands interactively |
| | | when run, you must cause it, when started running for such |
| | | interactive use in the most ordinary way, to print or display an |
| | | announcement including an appropriate copyright notice and a |
| | | notice that there is no warranty (or else, saying that you provide |
| | | a warranty) and that users may redistribute the program under |
| | | these conditions, and telling the user how to view a copy of this |
| | | License. (Exception: if the Program itself is interactive but |
| | | does not normally print such an announcement, your work based on |
| | | the Program is not required to print an announcement.) |
| | | |
| | | These requirements apply to the modified work as a whole. If |
| | | identifiable sections of that work are not derived from the Program, |
| | | and can be reasonably considered independent and separate works in |
| | | themselves, then this License, and its terms, do not apply to those |
| | | sections when you distribute them as separate works. But when you |
| | | distribute the same sections as part of a whole which is a work based |
| | | on the Program, the distribution of the whole must be on the terms of |
| | | this License, whose permissions for other licensees extend to the |
| | | entire whole, and thus to each and every part regardless of who wrote it. |
| | | |
| | | Thus, it is not the intent of this section to claim rights or contest |
| | | your rights to work written entirely by you; rather, the intent is to |
| | | exercise the right to control the distribution of derivative or |
| | | collective works based on the Program. |
| | | |
| | | In addition, mere aggregation of another work not based on the Program |
| | | with the Program (or with a work based on the Program) on a volume of |
| | | a storage or distribution medium does not bring the other work under |
| | | the scope of this License. |
| | | |
| | | 3. You may copy and distribute the Program (or a work based on it, |
| | | under Section 2) in object code or executable form under the terms of |
| | | Sections 1 and 2 above provided that you also do one of the following: |
| | | |
| | | a) Accompany it with the complete corresponding machine-readable |
| | | source code, which must be distributed under the terms of Sections |
| | | 1 and 2 above on a medium customarily used for software interchange; or, |
| | | |
| | | b) Accompany it with a written offer, valid for at least three |
| | | years, to give any third party, for a charge no more than your |
| | | cost of physically performing source distribution, a complete |
| | | machine-readable copy of the corresponding source code, to be |
| | | distributed under the terms of Sections 1 and 2 above on a medium |
| | | customarily used for software interchange; or, |
| | | |
| | | c) Accompany it with the information you received as to the offer |
| | | to distribute corresponding source code. (This alternative is |
| | | allowed only for noncommercial distribution and only if you |
| | | received the program in object code or executable form with such |
| | | an offer, in accord with Subsection b above.) |
| | | |
| | | The source code for a work means the preferred form of the work for |
| | | making modifications to it. For an executable work, complete source |
| | | code means all the source code for all modules it contains, plus any |
| | | associated interface definition files, plus the scripts used to |
| | | control compilation and installation of the executable. However, as a |
| | | special exception, the source code distributed need not include |
| | | anything that is normally distributed (in either source or binary |
| | | form) with the major components (compiler, kernel, and so on) of the |
| | | operating system on which the executable runs, unless that component |
| | | itself accompanies the executable. |
| | | |
| | | If distribution of executable or object code is made by offering |
| | | access to copy from a designated place, then offering equivalent |
| | | access to copy the source code from the same place counts as |
| | | distribution of the source code, even though third parties are not |
| | | compelled to copy the source along with the object code. |
| | | |
| | | 4. You may not copy, modify, sublicense, or distribute the Program |
| | | except as expressly provided under this License. Any attempt |
| | | otherwise to copy, modify, sublicense or distribute the Program is |
| | | void, and will automatically terminate your rights under this License. |
| | | However, parties who have received copies, or rights, from you under |
| | | this License will not have their licenses terminated so long as such |
| | | parties remain in full compliance. |
| | | |
| | | 5. You are not required to accept this License, since you have not |
| | | signed it. However, nothing else grants you permission to modify or |
| | | distribute the Program or its derivative works. These actions are |
| | | prohibited by law if you do not accept this License. Therefore, by |
| | | modifying or distributing the Program (or any work based on the |
| | | Program), you indicate your acceptance of this License to do so, and |
| | | all its terms and conditions for copying, distributing or modifying |
| | | the Program or works based on it. |
| | | |
| | | 6. Each time you redistribute the Program (or any work based on the |
| | | Program), the recipient automatically receives a license from the |
| | | original licensor to copy, distribute or modify the Program subject to |
| | | these terms and conditions. You may not impose any further |
| | | restrictions on the recipients' exercise of the rights granted herein. |
| | | You are not responsible for enforcing compliance by third parties to |
| | | this License. |
| | | |
| | | 7. If, as a consequence of a court judgment or allegation of patent |
| | | infringement or for any other reason (not limited to patent issues), |
| | | conditions are imposed on you (whether by court order, agreement or |
| | | otherwise) that contradict the conditions of this License, they do not |
| | | excuse you from the conditions of this License. If you cannot |
| | | distribute so as to satisfy simultaneously your obligations under this |
| | | License and any other pertinent obligations, then as a consequence you |
| | | may not distribute the Program at all. For example, if a patent |
| | | license would not permit royalty-free redistribution of the Program by |
| | | all those who receive copies directly or indirectly through you, then |
| | | the only way you could satisfy both it and this License would be to |
| | | refrain entirely from distribution of the Program. |
| | | |
| | | If any portion of this section is held invalid or unenforceable under |
| | | any particular circumstance, the balance of the section is intended to |
| | | apply and the section as a whole is intended to apply in other |
| | | circumstances. |
| | | |
| | | It is not the purpose of this section to induce you to infringe any |
| | | patents or other property right claims or to contest validity of any |
| | | such claims; this section has the sole purpose of protecting the |
| | | integrity of the free software distribution system, which is |
| | | implemented by public license practices. Many people have made |
| | | generous contributions to the wide range of software distributed |
| | | through that system in reliance on consistent application of that |
| | | system; it is up to the author/donor to decide if he or she is willing |
| | | to distribute software through any other system and a licensee cannot |
| | | impose that choice. |
| | | |
| | | This section is intended to make thoroughly clear what is believed to |
| | | be a consequence of the rest of this License. |
| | | |
| | | 8. If the distribution and/or use of the Program is restricted in |
| | | certain countries either by patents or by copyrighted interfaces, the |
| | | original copyright holder who places the Program under this License |
| | | may add an explicit geographical distribution limitation excluding |
| | | those countries, so that distribution is permitted only in or among |
| | | countries not thus excluded. In such case, this License incorporates |
| | | the limitation as if written in the body of this License. |
| | | |
| | | 9. The Free Software Foundation may publish revised and/or new versions |
| | | of the General Public License from time to time. Such new versions will |
| | | be similar in spirit to the present version, but may differ in detail to |
| | | address new problems or concerns. |
| | | |
| | | Each version is given a distinguishing version number. If the Program |
| | | specifies a version number of this License which applies to it and "any |
| | | later version", you have the option of following the terms and conditions |
| | | either of that version or of any later version published by the Free |
| | | Software Foundation. If the Program does not specify a version number of |
| | | this License, you may choose any version ever published by the Free Software |
| | | Foundation. |
| | | |
| | | 10. If you wish to incorporate parts of the Program into other free |
| | | programs whose distribution conditions are different, write to the author |
| | | to ask for permission. For software which is copyrighted by the Free |
| | | Software Foundation, write to the Free Software Foundation; we sometimes |
| | | make exceptions for this. Our decision will be guided by the two goals |
| | | of preserving the free status of all derivatives of our free software and |
| | | of promoting the sharing and reuse of software generally. |
| | | |
| | | NO WARRANTY |
| | | |
| | | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY |
| | | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN |
| | | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES |
| | | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED |
| | | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF |
| | | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS |
| | | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE |
| | | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, |
| | | REPAIR OR CORRECTION. |
| | | |
| | | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING |
| | | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR |
| | | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, |
| | | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING |
| | | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED |
| | | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY |
| | | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER |
| | | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE |
| | | POSSIBILITY OF SUCH DAMAGES. |
| | | |
| | | END OF TERMS AND CONDITIONS |
| | | |
| | | How to Apply These Terms to Your New Programs |
| | | |
| | | If you develop a new program, and you want it to be of the greatest |
| | | possible use to the public, the best way to achieve this is to make it |
| | | free software which everyone can redistribute and change under these terms. |
| | | |
| | | To do so, attach the following notices to the program. It is safest |
| | | to attach them to the start of each source file to most effectively |
| | | convey the exclusion of warranty; and each file should have at least |
| | | the "copyright" line and a pointer to where the full notice is found. |
| | | |
| | | <one line to give the program's name and a brief idea of what it does.> |
| | | Copyright (C) <year> <name of author> |
| | | |
| | | This program is free software; you can redistribute it and/or modify |
| | | it under the terms of the GNU General Public License as published by |
| | | the Free Software Foundation; either version 2 of the License, or |
| | | (at your option) any later version. |
| | | |
| | | This program is distributed in the hope that it will be useful, |
| | | but WITHOUT ANY WARRANTY; without even the implied warranty of |
| | | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| | | GNU General Public License for more details. |
| | | |
| | | You should have received a copy of the GNU General Public License along |
| | | with this program; if not, write to the Free Software Foundation, Inc., |
| | | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
| | | |
| | | Also add information on how to contact you by electronic and paper mail. |
| | | |
| | | If the program is interactive, make it output a short notice like this |
| | | when it starts in an interactive mode: |
| | | |
| | | Gnomovision version 69, Copyright (C) year name of author |
| | | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. |
| | | This is free software, and you are welcome to redistribute it |
| | | under certain conditions; type `show c' for details. |
| | | |
| | | The hypothetical commands `show w' and `show c' should show the appropriate |
| | | parts of the General Public License. Of course, the commands you use may |
| | | be called something other than `show w' and `show c'; they could even be |
| | | mouse-clicks or menu items--whatever suits your program. |
| | | |
| | | You should also get your employer (if you work as a programmer) or your |
| | | school, if any, to sign a "copyright disclaimer" for the program, if |
| | | necessary. Here is a sample; alter the names: |
| | | |
| | | Yoyodyne, Inc., hereby disclaims all copyright interest in the program |
| | | `Gnomovision' (which makes passes at compilers) written by James Hacker. |
| | | |
| | | <signature of Ty Coon>, 1 April 1989 |
| | | Ty Coon, President of Vice |
| | | |
| | | This General Public License does not permit incorporating your program into |
| | | proprietary programs. If your program is a subroutine library, you may |
| | | consider it more useful to permit linking proprietary applications with the |
| | | library. If this is what you want to do, use the GNU Lesser General |
| | | Public License instead of this License. |
| | |
| | | //* Configure Apache |
| | | swriteln('Configuring Apache'); |
| | | $inst->configure_apache(); |
| | | |
| | | //* Configure Firewall |
| | | swriteln('Configuring Firewall'); |
| | | $inst->configure_firewall(); |
| | | |
| | | //* Configure ISPConfig |
| | | swriteln('Installing ISPConfig'); |
| | |
| | | $inst->configure_apache(); |
| | | } |
| | | |
| | | //** Configure Firewall |
| | | if(strtolower($inst->simple_query('Configure Firewall Server',array('y','n'),'y')) == 'y') { |
| | | swriteln('Configuring Firewall'); |
| | | $inst->configure_firewall(); |
| | | } |
| | | |
| | | //** Configure ISPConfig :-) |
| | | if(strtolower($inst->simple_query('Install ISPConfig Web-Interface',array('y','n'),'y')) == 'y') { |
| | | swriteln('Installing ISPConfig'); |
| | |
| | | |
| | | } |
| | | |
| | | public function configure_firewall() |
| | | { |
| | | global $conf; |
| | | |
| | | $dist_init_scripts = $conf['init_scripts']; |
| | | |
| | | if(is_dir("/etc/Bastille")) caselog("mv -f /etc/Bastille /etc/Bastille.backup", $FILE, __LINE__); |
| | | @mkdir("/etc/Bastille", octdec($directory_mode)); |
| | | if(is_dir("/etc/Bastille.backup/firewall.d")) caselog("cp -pfr /etc/Bastille.backup/firewall.d /etc/Bastille/", $FILE, __LINE__); |
| | | caselog("cp -f tpl/bastille-firewall.cfg.master /etc/Bastille/bastille-firewall.cfg", $FILE, __LINE__); |
| | | caselog("chmod 644 /etc/Bastille/bastille-firewall.cfg", $FILE, __LINE__); |
| | | $content = rf("/etc/Bastille/bastille-firewall.cfg"); |
| | | $content = str_replace("{DNS_SERVERS}", "", $content); |
| | | |
| | | $tcp_public_services = ''; |
| | | $udp_public_services = ''; |
| | | |
| | | $row = $this->db->queryOneRecord("SELECT * FROM firewall WHERE server_id = ".intval($this->conf['server_id'])); |
| | | |
| | | if(trim($row["tcp_port"]) != '' || trim($row["udp_port"]) != ''){ |
| | | $tcp_public_services = trim(str_replace(',',' ',$row["tcp_port"])); |
| | | $udp_public_services = trim(str_replace(',',' ',$row["udp_port"])); |
| | | } else { |
| | | $tcp_public_services = '21 22 25 53 80 110 443 8080 10000'; |
| | | $udp_public_services = '53'; |
| | | } |
| | | $content = str_replace("{TCP_PUBLIC_SERVICES}", $tcp_public_services, $content); |
| | | $content = str_replace("{UDP_PUBLIC_SERVICES}", $udp_public_services, $content); |
| | | |
| | | wf("/etc/Bastille/bastille-firewall.cfg", $content); |
| | | |
| | | if(is_file($dist_init_scripts."/bastille-firewall")) caselog("mv -f $dist_init_scripts/bastille-firewall $dist_init_scripts/bastille-firewall.backup_".date("m_d_Y__H_i_s", $current_date), $FILE, __LINE__); |
| | | caselog("cp -f apps/bastille-firewall $dist_init_scripts", $FILE, __LINE__); |
| | | caselog("chmod 700 $dist_init_scripts/bastille-firewall", $FILE, __LINE__); |
| | | |
| | | if(is_file("/sbin/bastille-ipchains")) caselog("mv -f /sbin/bastille-ipchains /sbin/bastille-ipchains.backup", $FILE, __LINE__); |
| | | caselog("cp -f apps/bastille-ipchains /sbin", $FILE, __LINE__); |
| | | caselog("chmod 700 /sbin/bastille-ipchains", $FILE, __LINE__); |
| | | |
| | | if(is_file("/sbin/bastille-netfilter")) caselog("mv -f /sbin/bastille-netfilter /sbin/bastille-netfilter.backup", $FILE, __LINE__); |
| | | caselog("cp -f apps/bastille-netfilter /sbin", $FILE, __LINE__); |
| | | caselog("chmod 700 /sbin/bastille-netfilter", $FILE, __LINE__); |
| | | |
| | | exec("which ipchains &> /dev/null", $ipchains_location, $ret_val); |
| | | if(!is_file("/sbin/ipchains") && !is_link("/sbin/ipchains") && $ret_val == 0) phpcaselog(@symlink(shell_exec("which ipchains"), "/sbin/ipchains"), 'create symlink', $FILE, __LINE__); |
| | | unset($ipchains_location); |
| | | exec("which iptables &> /dev/null", $iptables_location, $ret_val); |
| | | if(!is_file("/sbin/iptables") && !is_link("/sbin/iptables") && $ret_val == 0) phpcaselog(@symlink(trim(shell_exec("which iptables")), "/sbin/iptables"), 'create symlink', $FILE, __LINE__); |
| | | unset($iptables_location); |
| | | |
| | | } |
| | | |
| | | |
| | | public function install_ispconfig() |
| | | { |
| | |
| | | //* make sure that the server config file (not the interface one) is only readable by the root user |
| | | exec("chmod 600 $install_dir/server/lib/$configfile"); |
| | | exec("chown root:root $install_dir/server/lib/$configfile"); |
| | | if(@is_file("$install_dir/server/lib/mysql_clientdb.conf") { |
| | | if(@is_file("$install_dir/server/lib/mysql_clientdb.conf")) { |
| | | exec("chmod 600 $install_dir/server/lib/mysql_clientdb.conf"); |
| | | exec("chown root:root $install_dir/server/lib/mysql_clientdb.conf"); |
| | | } |
New file |
| | |
| | | # |
| | | # /etc/bastille-firewall.cfg |
| | | # |
| | | # Configuration file for both 2.2/ipchains and 2.4/netfilter scripts |
| | | # |
| | | # $Source: /cvsroot/bastille-linux/dev/working_tree/Bastille/bastille-firewall.cfg,v $ |
| | | # Modified by: $Author: peterw $ |
| | | # $Date: 2002/01/04 13:34:18 $ |
| | | # $Revision: 1.7 $ |
| | | # |
| | | # Copyright (C) 1999-2001 Peter Watkins |
| | | # |
| | | # This program is distributed in the hope that it will be useful, |
| | | # but WITHOUT ANY WARRANTY; without even the implied warranty of |
| | | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| | | # GNU General Public License for more details. |
| | | # |
| | | # You should have received a copy of the GNU General Public License |
| | | # along with this program; if not, write to the Free Software |
| | | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
| | | # |
| | | # Thanks to David Ranch, Brad A, Don G, and others for their suggestions |
| | | |
| | | # the configuration values should be whitespace-delimited lists of |
| | | # appropriate values, e.g. |
| | | # TCP_PUBLIC_SERVICES="80 smtp ssh" |
| | | # lists Web (port 80), SMTP mail, and Secure Shell ports |
| | | # |
| | | # This script is suitable for workstations or simple NAT firewalls; |
| | | # you may want to add more "output" restrictions for serious servers |
| | | |
| | | # 0) DNS servers (Linux 2.2/ipchains only) |
| | | # You must list your DNS servers here so that |
| | | # the firewall will allow them to service your lookup requests |
| | | # |
| | | # List of DNS servers/networks to allow "domain" responses from |
| | | # This _could_ be nameservers as a list of <ip-address>/32 entries |
| | | #DNS_SERVERS="a.b.c.d/32 e.f.g.h/32" |
| | | # If you are running a caching nameserver, you'll need to allow from |
| | | # "0.0.0.0/0" so named can query any arbitrary nameserver |
| | | # (To enable a caching nameserver, you will also probably need to |
| | | # add "domain" to the TCP and UDP public service lists.) |
| | | #DNS_SERVERS="0.0.0.0/0" |
| | | # |
| | | # To have the DNS servers parsed from /etc/resolv.conf at runtime, |
| | | # as normal workstations will want, make this variable empty |
| | | #DNS_SERVERS="" |
| | | # |
| | | # Please make sure variable assignments are on single lines; do NOT |
| | | # use the "\" continuation character (so Bastille can change the |
| | | # values if it is run more than once) |
| | | DNS_SERVERS="{DNS_SERVERS}" |
| | | |
| | | |
| | | # 1) define your interfaces (all systems) |
| | | # Note a "+" acts as a wildcard, e.g. ppp+ would match any PPP |
| | | # interface |
| | | # |
| | | # list internal/trusted interfaces |
| | | # traffic from these interfaces will be allowed |
| | | # through the firewall, no restrictions |
| | | #TRUSTED_IFACES="lo" # MINIMAL/SAFEST |
| | | # |
| | | # list external/untrusted interfaces |
| | | #PUBLIC_IFACES="eth+ ppp+ slip+" # SAFEST |
| | | # |
| | | # list internal/partially-trusted interfaces |
| | | # e.g. if this acts as a NAT/IP Masq server and you |
| | | # don't want clients on those interfaces having |
| | | # full network access to services running on this |
| | | # server (as the TRUSTED_IFACES allows) |
| | | #INTERNAL_IFACES="" # SAFEST |
| | | # |
| | | # Please make sure variable assignments are on single lines; do NOT |
| | | # use the "\" continuation character (so Bastille can change the |
| | | # values if it is run more than once) |
| | | TRUSTED_IFACES="lo" # MINIMAL/SAFEST |
| | | PUBLIC_IFACES="eth+ ppp+ slip+ venet+" # SAFEST |
| | | INTERNAL_IFACES="" # SAFEST |
| | | |
| | | |
| | | # 2) services for which we want to log access attempts to syslog (all systems) |
| | | # Note this only audits connection attempts from public interfaces |
| | | # |
| | | # Also see item 12, LOG_FAILURES |
| | | # |
| | | #TCP_AUDIT_SERVICES="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh" |
| | | # anyone probing for BackOrifice? |
| | | #UDP_AUDIT_SERVICES="31337" |
| | | # how about ICMP? |
| | | #ICMP_AUDIT_TYPES="" |
| | | #ICMP_AUDIT_TYPES="echo-request" # ping/MS tracert |
| | | # |
| | | # To enable auditing, you must have syslog configured to log "kern" |
| | | # messages of "info" level; typically you'd do this with a line in |
| | | # syslog.conf like |
| | | # kern.info /var/log/messages |
| | | # though the Bastille port monitor will normally want these messages |
| | | # logged to a named pipe instead, and the Bastille script normally |
| | | # configures syslog for "kern.*" which catches these messages |
| | | # |
| | | # Please make sure variable assignments are on single lines; do NOT |
| | | # use the "\" continuation character (so Bastille can change the |
| | | # values if it is run more than once) |
| | | #TCP_AUDIT_SERVICES="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh" |
| | | #UDP_AUDIT_SERVICES="31337" |
| | | #ICMP_AUDIT_TYPES="" |
| | | |
| | | |
| | | # 3) services we allow connections to (all systems) |
| | | # |
| | | # FTP note: |
| | | # To allow your machine to service "passive" FTP clients, |
| | | # you will need to make allowances for the passive data |
| | | # ports; Bastille users should read README.FTP for more |
| | | # information |
| | | # |
| | | # "public" interfaces: |
| | | # TCP services that "public" hosts should be allowed to connect to |
| | | #TCP_PUBLIC_SERVICES="" # MINIMAL/SAFEST |
| | | # |
| | | # UDP services that "public" hosts should be allowed to connect to |
| | | #UDP_PUBLIC_SERVICES="" # MINIMAL/SAFEST |
| | | # |
| | | # "internal" interfaces: |
| | | # (NB: you will need to repeat the "public" services if you want |
| | | # to allow "internal" hosts to reach those services, too.) |
| | | # TCP services that internal clients can connect to |
| | | #TCP_INTERNAL_SERVICES="" # MINIMAL/SAFEST |
| | | # |
| | | # UDP services that internal clients can connect to |
| | | #UDP_INTERNAL_SERVICES="" # MINIMAL/SAFEST |
| | | # |
| | | # Please make sure variable assignments are on single lines; do NOT |
| | | # use the "\" continuation character (so Bastille can change the |
| | | # values if it is run more than once) |
| | | TCP_PUBLIC_SERVICES="{TCP_PUBLIC_SERVICES}" # MINIMAL/SAFEST |
| | | UDP_PUBLIC_SERVICES="{UDP_PUBLIC_SERVICES}" # MINIMAL/SAFEST |
| | | TCP_INTERNAL_SERVICES="" # MINIMAL/SAFEST |
| | | UDP_INTERNAL_SERVICES="" # MINIMAL/SAFEST |
| | | |
| | | # 4) passive/active FTP (Linux 2.2/ipchains only) |
| | | # FTP is a firewall nightmare; if you allow "normal" FTP connections, |
| | | # you must be careful to block any TCP services that are listening |
| | | # on high ports; it's safer to require your FTP clients to use |
| | | # "passive" mode. |
| | | # |
| | | # Note this will also force clients on machines |
| | | # that use this one for NAT/IP Masquerading to use passive mode |
| | | # for connections that go through this server (e.g. from the |
| | | # internal network to public Internet machines |
| | | # |
| | | # For more information about FTP, see the Bastille README.FTP doc |
| | | # |
| | | #FORCE_PASV_FTP="N" |
| | | #FORCE_PASV_FTP="Y" # SAFEST |
| | | # |
| | | FORCE_PASV_FTP="Y" # SAFEST |
| | | |
| | | |
| | | # 5) Services to explicitly block. (Linux 2.2/ipchains only) |
| | | # See FTP note above |
| | | # Note that ranges of ports are specified with colons, and you |
| | | # can specify an open range by using only one number, e.g. |
| | | # 1024: means ports >= 1024 and :6000 means ports <= 6000 |
| | | # |
| | | # TCP services on high ports that should be blocked if not forcing passive FTP |
| | | # This should include X (6000:6010) and anything else revealed by 'netstat -an' |
| | | # (this does not matter unless you're not forcing "passive" FTP) |
| | | #TCP_BLOCKED_SERVICES="6000:6020" |
| | | # |
| | | # UDP services to block: this should be UDP services on high ports. |
| | | # Your only vulnerability from public interfaces are the DNS and |
| | | # NTP servers/networks (those with 0.0.0.0 for DNS servers should |
| | | # obviously be very careful here!) |
| | | #UDP_BLOCKED_SERVICES="2049" |
| | | # |
| | | # types of ICMP packets to allow |
| | | #ICMP_ALLOWED_TYPES="destination-unreachable" # MINIMAL/SAFEST |
| | | # the following allows you to ping/traceroute outbound |
| | | #ICMP_ALLOWED_TYPES="destination-unreachable echo-reply time-exceeded" |
| | | # |
| | | # Please make sure variable assignments are on single lines; do NOT |
| | | # use the "\" continuation character (so Bastille can change the |
| | | # values if it is run more than once) |
| | | TCP_BLOCKED_SERVICES="6000:6020" |
| | | UDP_BLOCKED_SERVICES="2049" |
| | | ICMP_ALLOWED_TYPES="destination-unreachable echo-reply time-exceeded echo-request" |
| | | |
| | | |
| | | # 6) Source Address Verification (all Linux systems) |
| | | # This helps prevent "IP Spoofing" attacks |
| | | # |
| | | ENABLE_SRC_ADDR_VERIFY="Y" # SAFEST |
| | | |
| | | |
| | | # 7) IP Masquerading / NAT. (all systems) |
| | | # List your internal/masq'ed networks here |
| | | # |
| | | # Also see item 4, FORCE_PASV_FTP, as that setting affects |
| | | # clients using IP Masquerading through this machine |
| | | # |
| | | # Set this variable if you're using IP Masq / NAT for a local network |
| | | #IP_MASQ_NETWORK="" # DISABLE/SAFEST |
| | | #IP_MASQ_NETWORK="10.0.0.0/8" # example |
| | | #IP_MASQ_NETWORK="192.168.0.0/16" # example |
| | | # |
| | | # Have lots of masq hosts? uncomment the following six lines |
| | | # and list the hosts/networks in /etc/firewall-masqhosts |
| | | # the script assumes any address without a "/" netmask afterwards |
| | | # is an individual address (netmask /255.255.255.255): |
| | | #if [ -f /etc/firewall-masqhosts ]; then |
| | | # echo "Reading list of masq hosts from /etc/firewall-masqhosts" |
| | | # # Read the file, but use 'awk' to strip comments |
| | | # # Note the sed bracket phrase includes a space and tab char |
| | | # IP_MASQ_NETWORK=`cat /etc/firewall-masqhosts | awk -F\# '/\// {print $1; next} /[0-9]/ {print $1"/32"}' |sed 's:[ ]*::g'` |
| | | #fi |
| | | # |
| | | # Masq modules |
| | | # NB: The script will prepend "ip_masq_" to each module name |
| | | #IP_MASQ_MODULES="cuseeme ftp irc quake raudio vdolive" # ALL (?) |
| | | #IP_MASQ_MODULES="ftp raudio vdolive" # RECOMMENDED |
| | | # |
| | | # Please make sure variable assignments are on single lines; do NOT |
| | | # use the "\" continuation character (so Bastille can change the |
| | | # values if it is run more than once) |
| | | IP_MASQ_NETWORK="" # DISABLE/SAFEST |
| | | IP_MASQ_MODULES="ftp raudio vdolive" # RECOMMENDED |
| | | |
| | | |
| | | # 8) How to react to disallowed packets (all systems) |
| | | # whether to "REJECT" or "DROP" disallowed packets; if you're running any |
| | | # public services, you probably ought to use "REJECT"; if in serious stealth |
| | | # mode, choose "DROP" so simple probes don't know if there's anything out there |
| | | # NOTE: disallowed ICMP packets are discarded with "DROP", as |
| | | # it would not make sense to "reject" the packet if you're |
| | | # trying to disallow ping/traceroute |
| | | # NOTE: the scripts that set up the filter rules will interpret these |
| | | # keywords as needed, e.g. "DROP" becomes "DENY" for Linux 2.2/ipchains |
| | | # |
| | | REJECT_METHOD="DROP" |
| | | |
| | | |
| | | # 9) DHCP (Linux 2.2/ipchains only) |
| | | # In case your server needs to get a DHCP address from some other |
| | | # machine (e.g. cable modem) |
| | | #DHCP_IFACES="eth0" # example, to allow you to query on eth0 |
| | | #DHCP_IFACES="" # DISABLED |
| | | # |
| | | # Please make sure variable assignments are on single lines; do NOT |
| | | # use the "\" continuation character (so Bastille can change the |
| | | # values if it is run more than once) |
| | | DHCP_IFACES="" # DISABLED |
| | | |
| | | |
| | | # 10) NTP servers (Linux 2.2/ipchains only) |
| | | # more UDP fun. List IP addresses or network space of NTP servers |
| | | # |
| | | #NTP_SERVERS="" # DISABLE NTP QUERIES / SAFEST |
| | | #NTP_SERVERS="a.b.c.d/32 e.f.g.h/32" # example, to allow querying 2 servers |
| | | # |
| | | # Please make sure variable assignments are on single lines; do NOT |
| | | # use the "\" continuation character (so Bastille can change the |
| | | # values if it is run more than once) |
| | | NTP_SERVERS="" # DISABLE NTP QUERIES / SAFEST |
| | | |
| | | |
| | | # 11) more ICMP. (Linux 2.2/ipchains only) |
| | | # Control the outbound ICMP to make yourself invisible to |
| | | # traceroute probes |
| | | # |
| | | #ICMP_OUTBOUND_DISABLED_TYPES="destination-unreachable time-exceeded" |
| | | # |
| | | # Please make sure variable assignments are on single lines; do NOT |
| | | # use the "\" continuation character (so Bastille can change the |
| | | # values if it is run more than once) |
| | | ICMP_OUTBOUND_DISABLED_TYPES="destination-unreachable time-exceeded" |
| | | |
| | | |
| | | # 12) Logging (all systems) |
| | | # With this enabled, ipchains will log all blocked packets. |
| | | # ** this could generate huge logs ** |
| | | # This is primarily intended for the port mointoring system; |
| | | # also note that you probably do not want to "AUDIT" any services |
| | | # that you are not allowing, as doing so would mean duplicate |
| | | # logging |
| | | LOG_FAILURES="N" # do not log blocked packets |
| | | |
| | | # 13) Block fragmented packets (all systems) |
| | | # There's no good reason to allow these |
| | | #ALLOW_FRAGMENTS="N" # safest |
| | | ALLOW_FRAGMENTS="Y" # old behavior |
| | | |
| | | # 14) Prevent SMB broadcasts from leaking out NAT setup (all systems) |
| | | # Windows machines will poll teh net with SMB broadcasts, |
| | | # basically advertising their existence. Most folks agree |
| | | # that this traffic should be dropped |
| | | #DROP_SMB_NAT_BCAST="N" # allow them (are you sure?) |
| | | DROP_SMB_NAT_BCAST="Y" # drop those packets |
| | | |
| | | # 15) Log level (iptables/netfilter/Linux 2.4 only) |
| | | # Control what level of logging is used when the firewall logs |
| | | # information. Default is warning (4). Lowest priority is |
| | | # debug (7); highest is emergency (0). To prevent syslog |
| | | # from copying iptables error messages to the console, set |
| | | # this to 6 (7 would also work, but 6 is recommended) |
| | | # You can also stop syslogd/klogd from printing kernel |
| | | # messages to the console by issuing the command |
| | | # setterm -msg off |
| | | #IP_LOG_LEVEL=6 # level used in 2.2/ipchains |
| | | IP_LOG_LEVEL=4 # iptables/netfilter default |
| | | |
| | | # 16) Always attempt to use stateful features for inbound connections |
| | | # Always using state will allow the firewall to reject invalid |
| | | # packets sent to otherwise open TCP services, e.g. XMAS, NULL |
| | | # and SIN/FYN scans. The downside to choosing this behavior is that |
| | | # services may become unreachable if the packet filter's state |
| | | # table becomes full. |
| | | IP_ALWAYS_USE_STATE="N" # default, ensures services remain available |
| | | #IP_ALWAYS_USE_STATE="Y" # disallow invalid packets |
| | |
| | | //* Configure DBServer |
| | | swriteln('Configuring DBServer'); |
| | | $inst->configure_dbserver(); |
| | | |
| | | if(@is_dir('/etc/Bastille')) { |
| | | //* Configure Firewall |
| | | swriteln('Configuring Firewall'); |
| | | $inst->configure_firewall(); |
| | | } |
| | | } |
| | | |
| | | //** Configure ISPConfig |
| | |
| | | 'regex' => '/^[\s0-9\,]{0,255}$/', |
| | | 'errmsg'=> 'tcp_ports_error_regex'), |
| | | ), |
| | | 'default' => '', |
| | | 'default' => '21,22,25,53,80,110,443,8080,10000', |
| | | 'value' => '', |
| | | 'width' => '30', |
| | | 'maxlength' => '255' |
| | |
| | | 'regex' => '/^[\s0-9\,]{0,255}$/', |
| | | 'errmsg'=> 'tcp_ports_error_regex'), |
| | | ), |
| | | 'default' => '', |
| | | 'default' => '53', |
| | | 'value' => '', |
| | | 'width' => '30', |
| | | 'maxlength' => '255' |
New file |
| | |
| | | # |
| | | # /etc/bastille-firewall.cfg |
| | | # |
| | | # Configuration file for both 2.2/ipchains and 2.4/netfilter scripts |
| | | # |
| | | # $Source: /cvsroot/bastille-linux/dev/working_tree/Bastille/bastille-firewall.cfg,v $ |
| | | # Modified by: $Author: peterw $ |
| | | # $Date: 2002/01/04 13:34:18 $ |
| | | # $Revision: 1.7 $ |
| | | # |
| | | # Copyright (C) 1999-2001 Peter Watkins |
| | | # |
| | | # This program is distributed in the hope that it will be useful, |
| | | # but WITHOUT ANY WARRANTY; without even the implied warranty of |
| | | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| | | # GNU General Public License for more details. |
| | | # |
| | | # You should have received a copy of the GNU General Public License |
| | | # along with this program; if not, write to the Free Software |
| | | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
| | | # |
| | | # Thanks to David Ranch, Brad A, Don G, and others for their suggestions |
| | | |
| | | # the configuration values should be whitespace-delimited lists of |
| | | # appropriate values, e.g. |
| | | # TCP_PUBLIC_SERVICES="80 smtp ssh" |
| | | # lists Web (port 80), SMTP mail, and Secure Shell ports |
| | | # |
| | | # This script is suitable for workstations or simple NAT firewalls; |
| | | # you may want to add more "output" restrictions for serious servers |
| | | |
| | | # 0) DNS servers (Linux 2.2/ipchains only) |
| | | # You must list your DNS servers here so that |
| | | # the firewall will allow them to service your lookup requests |
| | | # |
| | | # List of DNS servers/networks to allow "domain" responses from |
| | | # This _could_ be nameservers as a list of <ip-address>/32 entries |
| | | #DNS_SERVERS="a.b.c.d/32 e.f.g.h/32" |
| | | # If you are running a caching nameserver, you'll need to allow from |
| | | # "0.0.0.0/0" so named can query any arbitrary nameserver |
| | | # (To enable a caching nameserver, you will also probably need to |
| | | # add "domain" to the TCP and UDP public service lists.) |
| | | #DNS_SERVERS="0.0.0.0/0" |
| | | # |
| | | # To have the DNS servers parsed from /etc/resolv.conf at runtime, |
| | | # as normal workstations will want, make this variable empty |
| | | #DNS_SERVERS="" |
| | | # |
| | | # Please make sure variable assignments are on single lines; do NOT |
| | | # use the "\" continuation character (so Bastille can change the |
| | | # values if it is run more than once) |
| | | DNS_SERVERS="{DNS_SERVERS}" |
| | | |
| | | |
| | | # 1) define your interfaces (all systems) |
| | | # Note a "+" acts as a wildcard, e.g. ppp+ would match any PPP |
| | | # interface |
| | | # |
| | | # list internal/trusted interfaces |
| | | # traffic from these interfaces will be allowed |
| | | # through the firewall, no restrictions |
| | | #TRUSTED_IFACES="lo" # MINIMAL/SAFEST |
| | | # |
| | | # list external/untrusted interfaces |
| | | #PUBLIC_IFACES="eth+ ppp+ slip+" # SAFEST |
| | | # |
| | | # list internal/partially-trusted interfaces |
| | | # e.g. if this acts as a NAT/IP Masq server and you |
| | | # don't want clients on those interfaces having |
| | | # full network access to services running on this |
| | | # server (as the TRUSTED_IFACES allows) |
| | | #INTERNAL_IFACES="" # SAFEST |
| | | # |
| | | # Please make sure variable assignments are on single lines; do NOT |
| | | # use the "\" continuation character (so Bastille can change the |
| | | # values if it is run more than once) |
| | | TRUSTED_IFACES="lo" # MINIMAL/SAFEST |
| | | PUBLIC_IFACES="eth+ ppp+ slip+ venet+" # SAFEST |
| | | INTERNAL_IFACES="" # SAFEST |
| | | |
| | | |
| | | # 2) services for which we want to log access attempts to syslog (all systems) |
| | | # Note this only audits connection attempts from public interfaces |
| | | # |
| | | # Also see item 12, LOG_FAILURES |
| | | # |
| | | #TCP_AUDIT_SERVICES="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh" |
| | | # anyone probing for BackOrifice? |
| | | #UDP_AUDIT_SERVICES="31337" |
| | | # how about ICMP? |
| | | #ICMP_AUDIT_TYPES="" |
| | | #ICMP_AUDIT_TYPES="echo-request" # ping/MS tracert |
| | | # |
| | | # To enable auditing, you must have syslog configured to log "kern" |
| | | # messages of "info" level; typically you'd do this with a line in |
| | | # syslog.conf like |
| | | # kern.info /var/log/messages |
| | | # though the Bastille port monitor will normally want these messages |
| | | # logged to a named pipe instead, and the Bastille script normally |
| | | # configures syslog for "kern.*" which catches these messages |
| | | # |
| | | # Please make sure variable assignments are on single lines; do NOT |
| | | # use the "\" continuation character (so Bastille can change the |
| | | # values if it is run more than once) |
| | | #TCP_AUDIT_SERVICES="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh" |
| | | #UDP_AUDIT_SERVICES="31337" |
| | | #ICMP_AUDIT_TYPES="" |
| | | |
| | | |
| | | # 3) services we allow connections to (all systems) |
| | | # |
| | | # FTP note: |
| | | # To allow your machine to service "passive" FTP clients, |
| | | # you will need to make allowances for the passive data |
| | | # ports; Bastille users should read README.FTP for more |
| | | # information |
| | | # |
| | | # "public" interfaces: |
| | | # TCP services that "public" hosts should be allowed to connect to |
| | | #TCP_PUBLIC_SERVICES="" # MINIMAL/SAFEST |
| | | # |
| | | # UDP services that "public" hosts should be allowed to connect to |
| | | #UDP_PUBLIC_SERVICES="" # MINIMAL/SAFEST |
| | | # |
| | | # "internal" interfaces: |
| | | # (NB: you will need to repeat the "public" services if you want |
| | | # to allow "internal" hosts to reach those services, too.) |
| | | # TCP services that internal clients can connect to |
| | | #TCP_INTERNAL_SERVICES="" # MINIMAL/SAFEST |
| | | # |
| | | # UDP services that internal clients can connect to |
| | | #UDP_INTERNAL_SERVICES="" # MINIMAL/SAFEST |
| | | # |
| | | # Please make sure variable assignments are on single lines; do NOT |
| | | # use the "\" continuation character (so Bastille can change the |
| | | # values if it is run more than once) |
| | | TCP_PUBLIC_SERVICES="{tmpl_var name="TCP_PUBLIC_SERVICES"}" # MINIMAL/SAFEST |
| | | UDP_PUBLIC_SERVICES="{tmpl_var name="UDP_PUBLIC_SERVICES"}" # MINIMAL/SAFEST |
| | | TCP_INTERNAL_SERVICES="" # MINIMAL/SAFEST |
| | | UDP_INTERNAL_SERVICES="" # MINIMAL/SAFEST |
| | | |
| | | # 4) passive/active FTP (Linux 2.2/ipchains only) |
| | | # FTP is a firewall nightmare; if you allow "normal" FTP connections, |
| | | # you must be careful to block any TCP services that are listening |
| | | # on high ports; it's safer to require your FTP clients to use |
| | | # "passive" mode. |
| | | # |
| | | # Note this will also force clients on machines |
| | | # that use this one for NAT/IP Masquerading to use passive mode |
| | | # for connections that go through this server (e.g. from the |
| | | # internal network to public Internet machines |
| | | # |
| | | # For more information about FTP, see the Bastille README.FTP doc |
| | | # |
| | | #FORCE_PASV_FTP="N" |
| | | #FORCE_PASV_FTP="Y" # SAFEST |
| | | # |
| | | FORCE_PASV_FTP="Y" # SAFEST |
| | | |
| | | |
| | | # 5) Services to explicitly block. (Linux 2.2/ipchains only) |
| | | # See FTP note above |
| | | # Note that ranges of ports are specified with colons, and you |
| | | # can specify an open range by using only one number, e.g. |
| | | # 1024: means ports >= 1024 and :6000 means ports <= 6000 |
| | | # |
| | | # TCP services on high ports that should be blocked if not forcing passive FTP |
| | | # This should include X (6000:6010) and anything else revealed by 'netstat -an' |
| | | # (this does not matter unless you're not forcing "passive" FTP) |
| | | #TCP_BLOCKED_SERVICES="6000:6020" |
| | | # |
| | | # UDP services to block: this should be UDP services on high ports. |
| | | # Your only vulnerability from public interfaces are the DNS and |
| | | # NTP servers/networks (those with 0.0.0.0 for DNS servers should |
| | | # obviously be very careful here!) |
| | | #UDP_BLOCKED_SERVICES="2049" |
| | | # |
| | | # types of ICMP packets to allow |
| | | #ICMP_ALLOWED_TYPES="destination-unreachable" # MINIMAL/SAFEST |
| | | # the following allows you to ping/traceroute outbound |
| | | #ICMP_ALLOWED_TYPES="destination-unreachable echo-reply time-exceeded" |
| | | # |
| | | # Please make sure variable assignments are on single lines; do NOT |
| | | # use the "\" continuation character (so Bastille can change the |
| | | # values if it is run more than once) |
| | | TCP_BLOCKED_SERVICES="6000:6020" |
| | | UDP_BLOCKED_SERVICES="2049" |
| | | ICMP_ALLOWED_TYPES="destination-unreachable echo-reply time-exceeded echo-request" |
| | | |
| | | |
| | | # 6) Source Address Verification (all Linux systems) |
| | | # This helps prevent "IP Spoofing" attacks |
| | | # |
| | | ENABLE_SRC_ADDR_VERIFY="Y" # SAFEST |
| | | |
| | | |
| | | # 7) IP Masquerading / NAT. (all systems) |
| | | # List your internal/masq'ed networks here |
| | | # |
| | | # Also see item 4, FORCE_PASV_FTP, as that setting affects |
| | | # clients using IP Masquerading through this machine |
| | | # |
| | | # Set this variable if you're using IP Masq / NAT for a local network |
| | | #IP_MASQ_NETWORK="" # DISABLE/SAFEST |
| | | #IP_MASQ_NETWORK="10.0.0.0/8" # example |
| | | #IP_MASQ_NETWORK="192.168.0.0/16" # example |
| | | # |
| | | # Have lots of masq hosts? uncomment the following six lines |
| | | # and list the hosts/networks in /etc/firewall-masqhosts |
| | | # the script assumes any address without a "/" netmask afterwards |
| | | # is an individual address (netmask /255.255.255.255): |
| | | #if [ -f /etc/firewall-masqhosts ]; then |
| | | # echo "Reading list of masq hosts from /etc/firewall-masqhosts" |
| | | # # Read the file, but use 'awk' to strip comments |
| | | # # Note the sed bracket phrase includes a space and tab char |
| | | # IP_MASQ_NETWORK=`cat /etc/firewall-masqhosts | awk -F\# '/\// {print $1; next} /[0-9]/ {print $1"/32"}' |sed 's:[ ]*::g'` |
| | | #fi |
| | | # |
| | | # Masq modules |
| | | # NB: The script will prepend "ip_masq_" to each module name |
| | | #IP_MASQ_MODULES="cuseeme ftp irc quake raudio vdolive" # ALL (?) |
| | | #IP_MASQ_MODULES="ftp raudio vdolive" # RECOMMENDED |
| | | # |
| | | # Please make sure variable assignments are on single lines; do NOT |
| | | # use the "\" continuation character (so Bastille can change the |
| | | # values if it is run more than once) |
| | | IP_MASQ_NETWORK="" # DISABLE/SAFEST |
| | | IP_MASQ_MODULES="ftp raudio vdolive" # RECOMMENDED |
| | | |
| | | |
| | | # 8) How to react to disallowed packets (all systems) |
| | | # whether to "REJECT" or "DROP" disallowed packets; if you're running any |
| | | # public services, you probably ought to use "REJECT"; if in serious stealth |
| | | # mode, choose "DROP" so simple probes don't know if there's anything out there |
| | | # NOTE: disallowed ICMP packets are discarded with "DROP", as |
| | | # it would not make sense to "reject" the packet if you're |
| | | # trying to disallow ping/traceroute |
| | | # NOTE: the scripts that set up the filter rules will interpret these |
| | | # keywords as needed, e.g. "DROP" becomes "DENY" for Linux 2.2/ipchains |
| | | # |
| | | REJECT_METHOD="DROP" |
| | | |
| | | |
| | | # 9) DHCP (Linux 2.2/ipchains only) |
| | | # In case your server needs to get a DHCP address from some other |
| | | # machine (e.g. cable modem) |
| | | #DHCP_IFACES="eth0" # example, to allow you to query on eth0 |
| | | #DHCP_IFACES="" # DISABLED |
| | | # |
| | | # Please make sure variable assignments are on single lines; do NOT |
| | | # use the "\" continuation character (so Bastille can change the |
| | | # values if it is run more than once) |
| | | DHCP_IFACES="" # DISABLED |
| | | |
| | | |
| | | # 10) NTP servers (Linux 2.2/ipchains only) |
| | | # more UDP fun. List IP addresses or network space of NTP servers |
| | | # |
| | | #NTP_SERVERS="" # DISABLE NTP QUERIES / SAFEST |
| | | #NTP_SERVERS="a.b.c.d/32 e.f.g.h/32" # example, to allow querying 2 servers |
| | | # |
| | | # Please make sure variable assignments are on single lines; do NOT |
| | | # use the "\" continuation character (so Bastille can change the |
| | | # values if it is run more than once) |
| | | NTP_SERVERS="" # DISABLE NTP QUERIES / SAFEST |
| | | |
| | | |
| | | # 11) more ICMP. (Linux 2.2/ipchains only) |
| | | # Control the outbound ICMP to make yourself invisible to |
| | | # traceroute probes |
| | | # |
| | | #ICMP_OUTBOUND_DISABLED_TYPES="destination-unreachable time-exceeded" |
| | | # |
| | | # Please make sure variable assignments are on single lines; do NOT |
| | | # use the "\" continuation character (so Bastille can change the |
| | | # values if it is run more than once) |
| | | ICMP_OUTBOUND_DISABLED_TYPES="destination-unreachable time-exceeded" |
| | | |
| | | |
| | | # 12) Logging (all systems) |
| | | # With this enabled, ipchains will log all blocked packets. |
| | | # ** this could generate huge logs ** |
| | | # This is primarily intended for the port mointoring system; |
| | | # also note that you probably do not want to "AUDIT" any services |
| | | # that you are not allowing, as doing so would mean duplicate |
| | | # logging |
| | | LOG_FAILURES="N" # do not log blocked packets |
| | | |
| | | # 13) Block fragmented packets (all systems) |
| | | # There's no good reason to allow these |
| | | #ALLOW_FRAGMENTS="N" # safest |
| | | ALLOW_FRAGMENTS="Y" # old behavior |
| | | |
| | | # 14) Prevent SMB broadcasts from leaking out NAT setup (all systems) |
| | | # Windows machines will poll teh net with SMB broadcasts, |
| | | # basically advertising their existence. Most folks agree |
| | | # that this traffic should be dropped |
| | | #DROP_SMB_NAT_BCAST="N" # allow them (are you sure?) |
| | | DROP_SMB_NAT_BCAST="Y" # drop those packets |
| | | |
| | | # 15) Log level (iptables/netfilter/Linux 2.4 only) |
| | | # Control what level of logging is used when the firewall logs |
| | | # information. Default is warning (4). Lowest priority is |
| | | # debug (7); highest is emergency (0). To prevent syslog |
| | | # from copying iptables error messages to the console, set |
| | | # this to 6 (7 would also work, but 6 is recommended) |
| | | # You can also stop syslogd/klogd from printing kernel |
| | | # messages to the console by issuing the command |
| | | # setterm -msg off |
| | | #IP_LOG_LEVEL=6 # level used in 2.2/ipchains |
| | | IP_LOG_LEVEL=4 # iptables/netfilter default |
| | | |
| | | # 16) Always attempt to use stateful features for inbound connections |
| | | # Always using state will allow the firewall to reject invalid |
| | | # packets sent to otherwise open TCP services, e.g. XMAS, NULL |
| | | # and SIN/FYN scans. The downside to choosing this behavior is that |
| | | # services may become unreachable if the packet filter's state |
| | | # table becomes full. |
| | | IP_ALWAYS_USE_STATE="N" # default, ensures services remain available |
| | | #IP_ALWAYS_USE_STATE="Y" # disallow invalid packets |
New file |
| | |
| | | <?php |
| | | |
| | | /* |
| | | Copyright (c) 2008, Till Brehm, projektfarm Gmbh |
| | | All rights reserved. |
| | | |
| | | Redistribution and use in source and binary forms, with or without modification, |
| | | are permitted provided that the following conditions are met: |
| | | |
| | | * Redistributions of source code must retain the above copyright notice, |
| | | this list of conditions and the following disclaimer. |
| | | * Redistributions in binary form must reproduce the above copyright notice, |
| | | this list of conditions and the following disclaimer in the documentation |
| | | and/or other materials provided with the distribution. |
| | | * Neither the name of ISPConfig nor the names of its contributors |
| | | may be used to endorse or promote products derived from this software without |
| | | specific prior written permission. |
| | | |
| | | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND |
| | | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED |
| | | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. |
| | | IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, |
| | | INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, |
| | | BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
| | | DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY |
| | | OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING |
| | | NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, |
| | | EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| | | */ |
| | | |
| | | class firewall_plugin { |
| | | |
| | | var $plugin_name = 'firewall_plugin'; |
| | | var $class_name = 'firewall_plugin'; |
| | | |
| | | |
| | | /* |
| | | This function is called when the plugin is loaded |
| | | */ |
| | | |
| | | function onLoad() { |
| | | global $app; |
| | | |
| | | /* |
| | | Register for the events |
| | | */ |
| | | |
| | | //* Mailboxes |
| | | $app->plugins->registerEvent('firewall_insert',$this->plugin_name,'insert'); |
| | | $app->plugins->registerEvent('firewall_update',$this->plugin_name,'update'); |
| | | $app->plugins->registerEvent('firewall_delete',$this->plugin_name,'delete'); |
| | | |
| | | |
| | | } |
| | | |
| | | |
| | | function insert($event_name,$data) { |
| | | global $app, $conf; |
| | | |
| | | $this->update($event_name,$data); |
| | | |
| | | } |
| | | |
| | | function update($event_name,$data) { |
| | | global $app, $conf; |
| | | |
| | | $tcp_ports = ''; |
| | | $udp_ports = ''; |
| | | |
| | | $ports = explode(',',$data["new"]["tcp_port"]); |
| | | if(is_array($ports)) { |
| | | foreach($ports as $p) { |
| | | $p_int = intval($p); |
| | | if($p_int > 0) $tcp_ports .= $p_int . ' '; |
| | | } |
| | | } |
| | | $tcp_ports = trim($tcp_ports); |
| | | |
| | | $ports = explode(',',$data["new"]["udp_port"]); |
| | | if(is_array($ports)) { |
| | | foreach($ports as $p) { |
| | | $p_int = intval($p); |
| | | if($p_int > 0) $udp_ports .= $p_int . ' '; |
| | | } |
| | | } |
| | | $udp_ports = trim($udp_ports); |
| | | |
| | | |
| | | $tpl = new tpl(); |
| | | $tpl->newTemplate("bastille-firewall.cfg.master"); |
| | | |
| | | $tpl->setVar("TCP_PUBLIC_SERVICES",$tcp_ports); |
| | | $tpl->setVar("UDP_PUBLIC_SERVICES",$udp_ports); |
| | | |
| | | file_put_contents('/etc/Bastille/bastille-firewall.cfg',$tpl->grab()); |
| | | $app->log('Writing firewall configuration /etc/Bastille/bastille-firewall.cfg',LOGLEVEL_DEBUG); |
| | | unset($tpl); |
| | | |
| | | if($data["new"]["active"] == 'y')) { |
| | | exec('/etc/init.d/bastille-firewall restart'); |
| | | if(@is_file('/etc/debian_version')) exec('update-rc.d bastille-firewall defaults'); |
| | | $app->log('Restarting the firewall',LOGLEVEL_DEBUG); |
| | | } else { |
| | | exec('/etc/init.d/bastille-firewall stop'); |
| | | if(@is_file('/etc/debian_version')) exec('update-rc.d bastille-firewall remove'); |
| | | $app->log('Stopping the firewall',LOGLEVEL_DEBUG); |
| | | } |
| | | |
| | | |
| | | } |
| | | |
| | | function delete($event_name,$data) { |
| | | global $app, $conf; |
| | | |
| | | exec('/etc/init.d/bastille-firewall stop'); |
| | | if(@is_file('/etc/debian_version')) exec('update-rc.d bastille-firewall remove'); |
| | | $app->log('Stopping the firewall',LOGLEVEL_DEBUG); |
| | | |
| | | } |
| | | |
| | | |
| | | |
| | | |
| | | } // end class |
| | | |
| | | ?> |
| | |
| | | if($data["new"]["type"] == 'mysql') { |
| | | if(!include_once(ISPC_LIB_PATH.'/mysql_clientdb.conf')) { |
| | | $app->log('Unable to open'.ISPC_LIB_PATH.'/mysql_clientdb.conf',LOGLEVEL_ERROR); |
| | | return; |
| | | } |
| | | |
| | | //* Connect to the database |